Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2014-0114
Vulnerability from cvelistv5
Published
2014-04-30 10:00
Modified
2024-08-06 09:05
Severity ?
EPSS score ?
92.31%
(0.99717)
Summary
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T09:05:38.989Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[apache-ignite-developers] 20180601 [CVE-2014-0114]: Apache Ignite is vulnerable to existing CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html", }, { name: "57477", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/57477", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://issues.apache.org/jira/browse/BEANUTILS-463", }, { name: "58710", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/58710", }, { name: "MDVSA-2014:095", tags: [ "vendor-advisory", "x_refsource_MANDRIVA", "x_transferred", ], url: "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675689", }, { name: "FEDORA-2014-9380", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21674812", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20140911-0001/", }, { name: "59464", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/59464", }, { name: "59118", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/59118", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20180629-0006/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675387", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://access.redhat.com/solutions/869353", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://advisories.mageia.org/MGASA-2014-0219.html", }, { name: "60703", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/60703", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675972", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676375", }, { name: "[oss-security] 20140707 Re: CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://openwall.com/lists/oss-security/2014/07/08/1", }, { name: "RHSA-2018:2669", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:2669", }, { name: "GLSA-201607-09", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "https://security.gentoo.org/glsa/201607-09", }, { name: "HPSBST03160", tags: [ "vendor-advisory", "x_refsource_HP", "x_transferred", ], url: "http://marc.info/?l=bugtraq&m=141451023707502&w=2", }, { name: "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "http://www.securityfocus.com/archive/1/534161/100/0/threaded", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675898", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676110", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg27042296", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676303", }, { name: "59228", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/59228", }, { name: "59246", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/59246", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1116665", }, { name: "[oss-security] 20140616 CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://openwall.com/lists/oss-security/2014/06/15/10", }, { name: "59245", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/59245", }, { name: "HPSBMU03090", tags: [ "vendor-advisory", "x_refsource_HP", "x_transferred", ], url: "http://marc.info/?l=bugtraq&m=140801096002766&w=2", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21674128", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676931", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", }, { name: "60177", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/60177", }, { name: "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2014/Dec/23", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.ibm.com/support/docview.wss?uid=swg21675496", }, { name: "DSA-2940", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2014/dsa-2940", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675266", }, { name: "59014", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/59014", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21677110", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", }, { name: "67121", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/67121", }, { name: "59480", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/59480", }, { name: "HPSBGN03041", tags: [ "vendor-advisory", "x_refsource_HP", "x_transferred", ], url: "http://marc.info/?l=bugtraq&m=140119284401582&w=2", }, { name: "59479", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/59479", }, { name: "59704", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/59704", }, { name: "58947", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/58947", }, { name: "59718", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/59718", }, { name: "59430", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/59430", }, { name: "58851", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/58851", }, { name: "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E", }, { name: "[infra-devnull] 20190329 [GitHub] [pulsar] massakam opened pull request #3938: Upgrade third party libraries with security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E", }, { name: "[pulsar-commits] 20190329 [GitHub] [pulsar] massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { name: "[commons-issues] 20190521 [jira] [Created] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-issues] 20190522 [jira] [Commented] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-issues] 20190522 [jira] [Work logged] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-dev] 20190522 [beanutils2] CVE-2014-0114 Pull Request", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-dev] 20190525 Re: [beanutils2] CVE-2014-0114 Pull Request", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-commits] 20190528 [commons-beanutils] branch master updated: BEANUTILS-520: Mitigate CVE-2014-0114 by enabling SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS by default. (#7)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E", }, { name: "[commons-issues] 20190528 [jira] [Closed] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-notifications] 20190528 Build failed in Jenkins: commons-beanutils #74", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E", }, { name: "[commons-commits] 20190528 [commons-beanutils] branch master updated: [BEANUTILS-520] BeanUtils2 mitigate CVE-2014-0114.", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E", }, { name: "[commons-issues] 20190528 [jira] [Work logged] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-notifications] 20190528 Build failed in Jenkins: commons-beanutils #75", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E", }, { name: "[commons-dev] 20190605 Re: [beanutils] Towards 1.10", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-issues] 20190615 [jira] [Updated] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-issues] 20190615 [jira] [Reopened] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-issues] 20190615 [jira] [Resolved] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-dev] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default.", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E", }, { name: "[commons-user] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default.", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E", }, { name: "[announce] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default.", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E", }, { name: "[commons-issues] 20190818 [jira] [Commented] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E", }, { name: "[activemq-gitbox] 20190903 [GitHub] [activemq-artemis] jeloba opened a new pull request #2820: Updated Apache BeanUtils to address CVE", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E", }, { name: "[activemq-issues] 20190904 [jira] [Created] (ARTEMIS-2470) Update Apache BeanUtils to Address CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E", }, { name: "[commons-commits] 20190906 [commons-configuration] branch master updated: [CONFIGURATION-755][CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4.", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E", }, { name: "[commons-issues] 20190906 [jira] [Updated] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4.", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-issues] 20190906 [jira] [Closed] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4.", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E", }, { name: "[activemq-issues] 20190909 [jira] [Work logged] (ARTEMIS-2470) Update Apache BeanUtils to Address CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E", }, { name: "RHSA-2019:2995", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2995", }, { name: "[commons-issues] 20191014 [jira] [Updated] (BEANUTILS-520) Mitigate CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E", }, { name: "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", }, { name: "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E", }, { name: "[activemq-issues] 20200109 [jira] [Resolved] (ARTEMIS-2470) Update Apache BeanUtils to Address CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E", }, { name: "[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E", }, { name: "[lucene-solr-user] 20200320 Re: CVEs (vulnerabilities) that apply to Solr 8.4.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E", }, { name: "[dolphinscheduler-commits] 20210121 [GitHub] [incubator-dolphinscheduler] c-f-cooper commented on issue #4506: There is a vulnerability in beanutils 1.7.0,upgrade recommended", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2014-04-29T00:00:00", descriptions: [ { lang: "en", value: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-01-21T14:06:10", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "[apache-ignite-developers] 20180601 [CVE-2014-0114]: Apache Ignite is vulnerable to existing CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html", }, { name: "57477", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/57477", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://issues.apache.org/jira/browse/BEANUTILS-463", }, { name: "58710", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/58710", }, { name: "MDVSA-2014:095", tags: [ "vendor-advisory", "x_refsource_MANDRIVA", ], url: "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675689", }, { name: "FEDORA-2014-9380", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21674812", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20140911-0001/", }, { name: "59464", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/59464", }, { name: "59118", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/59118", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20180629-0006/", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675387", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://access.redhat.com/solutions/869353", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://advisories.mageia.org/MGASA-2014-0219.html", }, { name: "60703", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/60703", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675972", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676375", }, { name: "[oss-security] 20140707 Re: CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://openwall.com/lists/oss-security/2014/07/08/1", }, { name: "RHSA-2018:2669", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:2669", }, { name: "GLSA-201607-09", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "https://security.gentoo.org/glsa/201607-09", }, { name: "HPSBST03160", tags: [ "vendor-advisory", "x_refsource_HP", ], url: "http://marc.info/?l=bugtraq&m=141451023707502&w=2", }, { name: "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "http://www.securityfocus.com/archive/1/534161/100/0/threaded", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675898", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676110", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg27042296", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676303", }, { name: "59228", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/59228", }, { name: "59246", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/59246", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1116665", }, { name: "[oss-security] 20140616 CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://openwall.com/lists/oss-security/2014/06/15/10", }, { name: "59245", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/59245", }, { name: "HPSBMU03090", tags: [ "vendor-advisory", "x_refsource_HP", ], url: "http://marc.info/?l=bugtraq&m=140801096002766&w=2", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21674128", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676931", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", }, { name: "60177", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/60177", }, { name: "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2014/Dec/23", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.ibm.com/support/docview.wss?uid=swg21675496", }, { name: "DSA-2940", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2014/dsa-2940", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675266", }, { name: "59014", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/59014", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21677110", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", }, { name: "67121", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/67121", }, { name: "59480", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/59480", }, { name: "HPSBGN03041", tags: [ "vendor-advisory", "x_refsource_HP", ], url: "http://marc.info/?l=bugtraq&m=140119284401582&w=2", }, { name: "59479", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/59479", }, { name: "59704", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/59704", }, { name: "58947", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/58947", }, { name: "59718", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/59718", }, { name: "59430", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/59430", }, { name: "58851", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/58851", }, { name: "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E", }, { name: "[infra-devnull] 20190329 [GitHub] [pulsar] massakam opened pull request #3938: Upgrade third party libraries with security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E", }, { name: "[pulsar-commits] 20190329 [GitHub] [pulsar] massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { name: "[commons-issues] 20190521 [jira] [Created] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-issues] 20190522 [jira] [Commented] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-issues] 20190522 [jira] [Work logged] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-dev] 20190522 [beanutils2] CVE-2014-0114 Pull Request", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-dev] 20190525 Re: [beanutils2] CVE-2014-0114 Pull Request", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-commits] 20190528 [commons-beanutils] branch master updated: BEANUTILS-520: Mitigate CVE-2014-0114 by enabling SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS by default. (#7)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E", }, { name: "[commons-issues] 20190528 [jira] [Closed] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-notifications] 20190528 Build failed in Jenkins: commons-beanutils #74", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E", }, { name: "[commons-commits] 20190528 [commons-beanutils] branch master updated: [BEANUTILS-520] BeanUtils2 mitigate CVE-2014-0114.", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E", }, { name: "[commons-issues] 20190528 [jira] [Work logged] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-notifications] 20190528 Build failed in Jenkins: commons-beanutils #75", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E", }, { name: "[commons-dev] 20190605 Re: [beanutils] Towards 1.10", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-issues] 20190615 [jira] [Updated] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-issues] 20190615 [jira] [Reopened] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-issues] 20190615 [jira] [Resolved] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-dev] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default.", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E", }, { name: "[commons-user] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default.", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E", }, { name: "[announce] 20190814 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default.", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E", }, { name: "[commons-issues] 20190818 [jira] [Commented] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E", }, { name: "[activemq-gitbox] 20190903 [GitHub] [activemq-artemis] jeloba opened a new pull request #2820: Updated Apache BeanUtils to address CVE", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E", }, { name: "[activemq-issues] 20190904 [jira] [Created] (ARTEMIS-2470) Update Apache BeanUtils to Address CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E", }, { name: "[commons-commits] 20190906 [commons-configuration] branch master updated: [CONFIGURATION-755][CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4.", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E", }, { name: "[commons-issues] 20190906 [jira] [Updated] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4.", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E", }, { name: "[commons-issues] 20190906 [jira] [Closed] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4.", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E", }, { name: "[activemq-issues] 20190909 [jira] [Work logged] (ARTEMIS-2470) Update Apache BeanUtils to Address CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E", }, { name: "RHSA-2019:2995", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2995", }, { name: "[commons-issues] 20191014 [jira] [Updated] (BEANUTILS-520) Mitigate CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E", }, { name: "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", }, { name: "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E", }, { name: "[activemq-issues] 20200109 [jira] [Resolved] (ARTEMIS-2470) Update Apache BeanUtils to Address CVE-2014-0114", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E", }, { name: "[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E", }, { name: "[lucene-solr-user] 20200320 Re: CVEs (vulnerabilities) that apply to Solr 8.4.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E", }, { name: "[dolphinscheduler-commits] 20210121 [GitHub] [incubator-dolphinscheduler] c-f-cooper commented on issue #4506: There is a vulnerability in beanutils 1.7.0,upgrade recommended", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2014-0114", datePublished: "2014-04-30T10:00:00", dateReserved: "2013-12-03T00:00:00", dateUpdated: "2024-08-06T09:05:38.989Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.9.1\", \"matchCriteriaId\": \"02FF6542-F5F7-465D-9755-E4EFC8953453\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A5051228-446E-461D-9B5F-8F765C7BA57F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EE1B8A83-43A4-4C4F-BB95-4D9CAD882D1C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A55DDFE1-A8AB-47BB-903E-957FCF3D023D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*\", \"matchCriteriaId\": \"93FA9AE3-B453-4FE6-82A9-7DDEF3F6C464\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*\", \"matchCriteriaId\": \"A3BB6FBE-469B-4920-A30B-33AD9E41ACCD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*\", \"matchCriteriaId\": \"34FC82D3-CCAF-4F37-B531-2A9CA17311A9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"E0B8B413-8C62-44B6-A382-26F35F4573D4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"6309C679-890A-4214-8857-9F119CBBAA00\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CD882860-03D0-49E9-8CED-DE6663392548\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EDDD509E-9EBF-483F-9546-A1A3A1A3380E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B2ECF5E1-457F-4E76-81F7-65114DC4E1E4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2FC81E1A-2779-4FAF-866C-970752CD1828\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CBD69FAE-C1A3-4213-824A-7DCCE357EB01\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9C34FDB0-2778-4C36-8345-F7E27509A383\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CF0302D3-CB8D-4FA7-8F07-C2C7593877BE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"03906D34-F3B3-4C56-A6A6-2F7A10168501\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1B3872B7-2972-433D-96A1-154FA545B311\"}]}]}]", descriptions: "[{\"lang\": \"en\", \"value\": \"Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \\\"manipulate\\\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.\"}, {\"lang\": \"es\", \"value\": \"Apache Commons BeanUtils, seg\\u00fan se distribuye en lib/commons-beanutils-1.8.0.jar en Apache Struts 1.x hasta la versi\\u00f3n 1.3.10 y en otros productos que requieren commons-beanutils hasta la versi\\u00f3n 1.9.2, no suprime la propiedad class, lo que permite a atacantes remotos \\\"manipular\\\" el ClassLoader y ejecutar c\\u00f3digo arbitrario a trav\\u00e9s del par\\u00e1metro class, seg\\u00fan lo demostrado por el paso de este par\\u00e1metro al m\\u00e9todo getClass del objeto ActionForm en Struts 1.\"}]", id: "CVE-2014-0114", lastModified: "2024-11-21T02:01:23.960", metrics: "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}", published: "2014-04-30T10:49:03.973", references: "[{\"url\": \"http://advisories.mageia.org/MGASA-2014-0219.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://marc.info/?l=bugtraq&m=140119284401582&w=2\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://marc.info/?l=bugtraq&m=140801096002766&w=2\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://marc.info/?l=bugtraq&m=141451023707502&w=2\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://openwall.com/lists/oss-security/2014/06/15/10\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://openwall.com/lists/oss-security/2014/07/08/1\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://seclists.org/fulldisclosure/2014/Dec/23\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/57477\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/58710\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/58851\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/58947\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/59014\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/59118\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/59228\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/59245\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/59246\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/59430\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/59464\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/59479\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/59480\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/59704\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/59718\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/60177\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/60703\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21674128\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21674812\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21675266\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21675387\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21675689\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21675898\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21675972\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21676091\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21676110\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21676303\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21676375\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21676931\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21677110\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg27042296\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.debian.org/security/2014/dsa-2940\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.ibm.com/support/docview.wss?uid=swg21675496\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.mandriva.com/security/advisories?name=MDVSA-2014:095\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securityfocus.com/archive/1/534161/100/0/threaded\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securityfocus.com/bid/67121\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.vmware.com/security/advisories/VMSA-2014-0008.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.vmware.com/security/advisories/VMSA-2014-0012.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:2669\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:2995\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/solutions/869353\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1091938\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1116665\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://issues.apache.org/jira/browse/BEANUTILS-463\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://security.gentoo.org/glsa/201607-09\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20140911-0001/\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20180629-0006/\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://advisories.mageia.org/MGASA-2014-0219.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://marc.info/?l=bugtraq&m=140119284401582&w=2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://marc.info/?l=bugtraq&m=140801096002766&w=2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://marc.info/?l=bugtraq&m=141451023707502&w=2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://openwall.com/lists/oss-security/2014/06/15/10\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://openwall.com/lists/oss-security/2014/07/08/1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://seclists.org/fulldisclosure/2014/Dec/23\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/57477\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/58710\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/58851\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/58947\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/59014\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/59118\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/59228\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/59245\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/59246\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/59430\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/59464\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/59479\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/59480\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/59704\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/59718\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/60177\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/60703\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21674128\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21674812\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21675266\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21675387\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21675689\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21675898\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21675972\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21676091\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21676110\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21676303\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21676375\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21676931\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21677110\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg27042296\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.debian.org/security/2014/dsa-2940\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.ibm.com/support/docview.wss?uid=swg21675496\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.mandriva.com/security/advisories?name=MDVSA-2014:095\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/archive/1/534161/100/0/threaded\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/67121\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.vmware.com/security/advisories/VMSA-2014-0008.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.vmware.com/security/advisories/VMSA-2014-0012.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:2669\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:2995\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/solutions/869353\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1091938\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1116665\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://issues.apache.org/jira/browse/BEANUTILS-463\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.gentoo.org/glsa/201607-09\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20140911-0001/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20180629-0006/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]", sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2014-0114\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2014-04-30T10:49:03.973\",\"lastModified\":\"2024-11-21T02:01:23.960\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \\\"manipulate\\\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.\"},{\"lang\":\"es\",\"value\":\"Apache Commons BeanUtils, según se distribuye en lib/commons-beanutils-1.8.0.jar en Apache Struts 1.x hasta la versión 1.3.10 y en otros productos que requieren commons-beanutils hasta la versión 1.9.2, no suprime la propiedad class, lo que permite a atacantes remotos \\\"manipular\\\" el ClassLoader y ejecutar código arbitrario a través del parámetro class, según lo demostrado por el paso de este parámetro al método getClass del objeto ActionForm en Struts 1.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.9.1\",\"matchCriteriaId\":\"02FF6542-F5F7-465D-9755-E4EFC8953453\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A5051228-446E-461D-9B5F-8F765C7BA57F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EE1B8A83-43A4-4C4F-BB95-4D9CAD882D1C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A55DDFE1-A8AB-47BB-903E-957FCF3D023D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*\",\"matchCriteriaId\":\"93FA9AE3-B453-4FE6-82A9-7DDEF3F6C464\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*\",\"matchCriteriaId\":\"A3BB6FBE-469B-4920-A30B-33AD9E41ACCD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*\",\"matchCriteriaId\":\"34FC82D3-CCAF-4F37-B531-2A9CA17311A9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0B8B413-8C62-44B6-A382-26F35F4573D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"6309C679-890A-4214-8857-9F119CBBAA00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CD882860-03D0-49E9-8CED-DE6663392548\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EDDD509E-9EBF-483F-9546-A1A3A1A3380E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B2ECF5E1-457F-4E76-81F7-65114DC4E1E4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2FC81E1A-2779-4FAF-866C-970752CD1828\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CBD69FAE-C1A3-4213-824A-7DCCE357EB01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9C34FDB0-2778-4C36-8345-F7E27509A383\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CF0302D3-CB8D-4FA7-8F07-C2C7593877BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"03906D34-F3B3-4C56-A6A6-2F7A10168501\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1B3872B7-2972-433D-96A1-154FA545B311\"}]}]}],\"references\":[{\"url\":\"http://advisories.mageia.org/MGASA-2014-0219.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://marc.info/?l=bugtraq&m=140119284401582&w=2\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://marc.info/?l=bugtraq&m=140801096002766&w=2\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://marc.info/?l=bugtraq&m=141451023707502&w=2\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://openwall.com/lists/oss-security/2014/06/15/10\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://openwall.com/lists/oss-security/2014/07/08/1\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://seclists.org/fulldisclosure/2014/Dec/23\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/57477\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/58710\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/58851\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/58947\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59014\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59118\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59228\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59245\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59246\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59430\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59464\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59479\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59480\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59704\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/59718\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/60177\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/60703\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21674128\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21674812\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21675266\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21675387\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21675689\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21675898\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21675972\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21676091\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21676110\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21676303\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21676375\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21676931\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21677110\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg27042296\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.debian.org/security/2014/dsa-2940\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.ibm.com/support/docview.wss?uid=swg21675496\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.mandriva.com/security/advisories?name=MDVSA-2014:095\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/archive/1/534161/100/0/threaded\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/bid/67121\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.vmware.com/security/advisories/VMSA-2014-0008.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.vmware.com/security/advisories/VMSA-2014-0012.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2669\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2995\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/solutions/869353\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1091938\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1116665\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://issues.apache.org/jira/browse/BEANUTILS-463\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://security.gentoo.org/glsa/201607-09\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20140911-0001/\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20180629-0006/\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://advisories.mageia.org/MGASA-2014-0219.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://marc.info/?l=bugtraq&m=140119284401582&w=2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://marc.info/?l=bugtraq&m=140801096002766&w=2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://marc.info/?l=bugtraq&m=141451023707502&w=2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://openwall.com/lists/oss-security/2014/06/15/10\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://openwall.com/lists/oss-security/2014/07/08/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://seclists.org/fulldisclosure/2014/Dec/23\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/57477\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/58710\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/58851\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/58947\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/59014\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/59118\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/59228\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/59245\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/59246\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/59430\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/59464\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/59479\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/59480\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/59704\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/59718\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/60177\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/60703\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21674128\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21674812\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21675266\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21675387\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21675689\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21675898\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21675972\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21676091\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21676110\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21676303\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21676375\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21676931\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg21677110\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www-01.ibm.com/support/docview.wss?uid=swg27042296\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.debian.org/security/2014/dsa-2940\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.ibm.com/support/docview.wss?uid=swg21675496\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.mandriva.com/security/advisories?name=MDVSA-2014:095\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/archive/1/534161/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/67121\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.vmware.com/security/advisories/VMSA-2014-0008.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.vmware.com/security/advisories/VMSA-2014-0012.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2669\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2995\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/solutions/869353\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1091938\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1116665\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://issues.apache.org/jira/browse/BEANUTILS-463\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/201607-09\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20140911-0001/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20180629-0006/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}", }, }
rhsa-2014_0497
Vulnerability from csaf_redhat
Published
2014-05-14 18:06
Modified
2024-11-22 07:57
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse 6.1.0 security update
Notes
Topic
Red Hat JBoss Fuse 6.1.0 Patch 1, a security update that addresses one
security issue, is now available from the Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method.
A remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
Refer to the readme.txt file included with the patch files for
installation instructions.
All users of Red Hat JBoss Fuse 6.1.0 as provided from the Red Hat Customer
Portal are advised to apply this security update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss Fuse 6.1.0 Patch 1, a security update that addresses one\nsecurity issue, is now available from the Red Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform.\n\nIt was found that the Struts 1 ActionForm object allowed access to the\n'class' parameter, which is directly mapped to the getClass() method.\nA remote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nRefer to the readme.txt file included with the patch files for\ninstallation instructions.\n\nAll users of Red Hat JBoss Fuse 6.1.0 as provided from the Red Hat Customer\nPortal are advised to apply this security update.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0497", url: "https://access.redhat.com/errata/RHSA-2014:0497", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.1.0", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0497.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Fuse 6.1.0 security update", tracking: { current_release_date: "2024-11-22T07:57:04+00:00", generator: { date: "2024-11-22T07:57:04+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2014:0497", initial_release_date: "2014-05-14T18:06:57+00:00", revision_history: [ { date: "2014-05-14T18:06:57+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:31:38+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T07:57:04+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Fuse 6.1", product: { name: "Red Hat JBoss Fuse 6.1", product_id: "Red Hat JBoss Fuse 6.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:6.1.0", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-05-14T18:06:57+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0497", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "Red Hat JBoss Fuse 6.1", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, ], }
rhsa-2014:0474
Vulnerability from csaf_redhat
Published
2014-05-07 04:56
Modified
2024-11-22 07:56
Summary
Red Hat Security Advisory: struts security update
Notes
Topic
Updated struts packages that fix one security issue are now available for
Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
Apache Struts is a framework for building web applications with Java.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method. A
remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
All struts users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. All running applications
using struts must be restarted for this update to take effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Updated struts packages that fix one security issue are now available for\nRed Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.", title: "Topic", }, { category: "general", text: "Apache Struts is a framework for building web applications with Java.\n\nIt was found that the Struts 1 ActionForm object allowed access to the\n'class' parameter, which is directly mapped to the getClass() method. A\nremote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nAll struts users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. All running applications\nusing struts must be restarted for this update to take effect.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0474", url: "https://access.redhat.com/errata/RHSA-2014:0474", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0474.json", }, ], title: "Red Hat Security Advisory: struts security update", tracking: { current_release_date: "2024-11-22T07:56:59+00:00", generator: { date: "2024-11-22T07:56:59+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2014:0474", initial_release_date: "2014-05-07T04:56:26+00:00", revision_history: [ { date: "2014-05-07T04:56:26+00:00", number: "1", summary: "Initial version", }, { date: "2014-05-07T04:56:26+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T07:56:59+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product: { name: "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:5::client_workstation", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux (v. 5 server)", product: { name: "Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:5::server", }, }, }, ], category: "product_family", name: "Red Hat Enterprise Linux", }, { branches: [ { category: "product_version", name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", product: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", product_id: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-debuginfo@1.2.9-4jpp.8.el5_10?arch=x86_64", }, }, }, { category: "product_version", name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", product: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", product_id: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-webapps-tomcat5@1.2.9-4jpp.8.el5_10?arch=x86_64", }, }, }, { category: "product_version", name: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", product: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", product_id: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-manual@1.2.9-4jpp.8.el5_10?arch=x86_64", }, }, }, { category: "product_version", name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", product: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", product_id: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-javadoc@1.2.9-4jpp.8.el5_10?arch=x86_64", }, }, }, { category: "product_version", name: "struts-0:1.2.9-4jpp.8.el5_10.x86_64", product: { name: "struts-0:1.2.9-4jpp.8.el5_10.x86_64", product_id: "struts-0:1.2.9-4jpp.8.el5_10.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", product: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", product_id: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/struts-debuginfo@1.2.9-4jpp.8.el5_10?arch=s390x", }, }, }, { category: "product_version", name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", product: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", product_id: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/struts-webapps-tomcat5@1.2.9-4jpp.8.el5_10?arch=s390x", }, }, }, { category: "product_version", name: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", product: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", product_id: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/struts-manual@1.2.9-4jpp.8.el5_10?arch=s390x", }, }, }, { category: "product_version", name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", product: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", product_id: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/struts-javadoc@1.2.9-4jpp.8.el5_10?arch=s390x", }, }, }, { category: "product_version", name: "struts-0:1.2.9-4jpp.8.el5_10.s390x", product: { name: "struts-0:1.2.9-4jpp.8.el5_10.s390x", product_id: "struts-0:1.2.9-4jpp.8.el5_10.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=s390x", }, }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", product: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", product_id: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-debuginfo@1.2.9-4jpp.8.el5_10?arch=ia64", }, }, }, { category: "product_version", name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", product: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", product_id: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-webapps-tomcat5@1.2.9-4jpp.8.el5_10?arch=ia64", }, }, }, { category: "product_version", name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", product: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", product_id: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-manual@1.2.9-4jpp.8.el5_10?arch=ia64", }, }, }, { category: "product_version", name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", product: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", product_id: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-javadoc@1.2.9-4jpp.8.el5_10?arch=ia64", }, }, }, { category: "product_version", name: "struts-0:1.2.9-4jpp.8.el5_10.ia64", product: { name: "struts-0:1.2.9-4jpp.8.el5_10.ia64", product_id: "struts-0:1.2.9-4jpp.8.el5_10.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=ia64", }, }, }, ], category: "architecture", name: "ia64", }, { branches: [ { category: "product_version", name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", product: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", product_id: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", product_identification_helper: { purl: "pkg:rpm/redhat/struts-debuginfo@1.2.9-4jpp.8.el5_10?arch=i386", }, }, }, { category: "product_version", name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", product: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", product_id: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", product_identification_helper: { purl: "pkg:rpm/redhat/struts-webapps-tomcat5@1.2.9-4jpp.8.el5_10?arch=i386", }, }, }, { category: "product_version", name: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386", product: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386", product_id: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386", product_identification_helper: { purl: "pkg:rpm/redhat/struts-manual@1.2.9-4jpp.8.el5_10?arch=i386", }, }, }, { category: "product_version", name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", product: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", product_id: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", product_identification_helper: { purl: "pkg:rpm/redhat/struts-javadoc@1.2.9-4jpp.8.el5_10?arch=i386", }, }, }, { category: "product_version", name: "struts-0:1.2.9-4jpp.8.el5_10.i386", product: { name: "struts-0:1.2.9-4jpp.8.el5_10.i386", product_id: "struts-0:1.2.9-4jpp.8.el5_10.i386", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=i386", }, }, }, ], category: "architecture", name: "i386", }, { branches: [ { category: "product_version", name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", product: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", product_id: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/struts-debuginfo@1.2.9-4jpp.8.el5_10?arch=ppc", }, }, }, { category: "product_version", name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", product: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", product_id: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/struts-webapps-tomcat5@1.2.9-4jpp.8.el5_10?arch=ppc", }, }, }, { category: "product_version", name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", product: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", product_id: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/struts-manual@1.2.9-4jpp.8.el5_10?arch=ppc", }, }, }, { category: "product_version", name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", product: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", product_id: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/struts-javadoc@1.2.9-4jpp.8.el5_10?arch=ppc", }, }, }, { category: "product_version", name: "struts-0:1.2.9-4jpp.8.el5_10.ppc", product: { name: "struts-0:1.2.9-4jpp.8.el5_10.ppc", product_id: "struts-0:1.2.9-4jpp.8.el5_10.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=ppc", }, }, }, ], category: "architecture", name: "ppc", }, { branches: [ { category: "product_version", name: "struts-0:1.2.9-4jpp.8.el5_10.src", product: { name: "struts-0:1.2.9-4jpp.8.el5_10.src", product_id: "struts-0:1.2.9-4jpp.8.el5_10.src", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.src", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.src as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.src", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Server-5.10.Z", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-05-07T04:56:26+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258", product_ids: [ "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0474", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, ], }
RHSA-2014:0498
Vulnerability from csaf_redhat
Published
2014-05-14 18:06
Modified
2024-11-22 07:57
Summary
Red Hat Security Advisory: Fuse ESB Enterprise 7.1.0 security update
Notes
Topic
Fuse ESB Enterprise 7.1.0 R1 P4 (Patch 4 on Rollup Patch 1), a security
update that addresses one security issue, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
Fuse ESB Enterprise is an integration platform based on Apache ServiceMix.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method.
A remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
Refer to the readme.txt file included with the patch files for
installation instructions.
All users of Fuse ESB Enterprise 7.1.0 as provided from the Red Hat
Customer Portal are advised to apply this security update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Fuse ESB Enterprise 7.1.0 R1 P4 (Patch 4 on Rollup Patch 1), a security\nupdate that addresses one security issue, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.", title: "Topic", }, { category: "general", text: "Fuse ESB Enterprise is an integration platform based on Apache ServiceMix.\n\nIt was found that the Struts 1 ActionForm object allowed access to the\n'class' parameter, which is directly mapped to the getClass() method.\nA remote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nRefer to the readme.txt file included with the patch files for\ninstallation instructions.\n\nAll users of Fuse ESB Enterprise 7.1.0 as provided from the Red Hat\nCustomer Portal are advised to apply this security update.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0498", url: "https://access.redhat.com/errata/RHSA-2014:0498", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise&downloadType=securityPatches&version=7.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise&downloadType=securityPatches&version=7.1.0", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0498.json", }, ], title: "Red Hat Security Advisory: Fuse ESB Enterprise 7.1.0 security update", tracking: { current_release_date: "2024-11-22T07:57:08+00:00", generator: { date: "2024-11-22T07:57:08+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2014:0498", initial_release_date: "2014-05-14T18:06:52+00:00", revision_history: [ { date: "2014-05-14T18:06:52+00:00", number: "1", summary: "Initial version", }, { date: "2014-05-14T18:06:52+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T07:57:08+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Fuse ESB Enterprise 7.1.0", product: { name: "Fuse ESB Enterprise 7.1.0", product_id: "Fuse ESB Enterprise 7.1.0", product_identification_helper: { cpe: "cpe:/a:redhat:fuse_esb_enterprise:7.1.0", }, }, }, ], category: "product_family", name: "Fuse Enterprise Middleware", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Fuse ESB Enterprise 7.1.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-05-14T18:06:52+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Fuse ESB Enterprise 7.1.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0498", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "Fuse ESB Enterprise 7.1.0", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Fuse ESB Enterprise 7.1.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, ], }
RHSA-2014:0497
Vulnerability from csaf_redhat
Published
2014-05-14 18:06
Modified
2024-11-22 07:57
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse 6.1.0 security update
Notes
Topic
Red Hat JBoss Fuse 6.1.0 Patch 1, a security update that addresses one
security issue, is now available from the Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method.
A remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
Refer to the readme.txt file included with the patch files for
installation instructions.
All users of Red Hat JBoss Fuse 6.1.0 as provided from the Red Hat Customer
Portal are advised to apply this security update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss Fuse 6.1.0 Patch 1, a security update that addresses one\nsecurity issue, is now available from the Red Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform.\n\nIt was found that the Struts 1 ActionForm object allowed access to the\n'class' parameter, which is directly mapped to the getClass() method.\nA remote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nRefer to the readme.txt file included with the patch files for\ninstallation instructions.\n\nAll users of Red Hat JBoss Fuse 6.1.0 as provided from the Red Hat Customer\nPortal are advised to apply this security update.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0497", url: "https://access.redhat.com/errata/RHSA-2014:0497", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.1.0", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0497.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Fuse 6.1.0 security update", tracking: { current_release_date: "2024-11-22T07:57:04+00:00", generator: { date: "2024-11-22T07:57:04+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2014:0497", initial_release_date: "2014-05-14T18:06:57+00:00", revision_history: [ { date: "2014-05-14T18:06:57+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:31:38+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T07:57:04+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Fuse 6.1", product: { name: "Red Hat JBoss Fuse 6.1", product_id: "Red Hat JBoss Fuse 6.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:6.1.0", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-05-14T18:06:57+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0497", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "Red Hat JBoss Fuse 6.1", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, ], }
RHSA-2014:0474
Vulnerability from csaf_redhat
Published
2014-05-07 04:56
Modified
2024-11-22 07:56
Summary
Red Hat Security Advisory: struts security update
Notes
Topic
Updated struts packages that fix one security issue are now available for
Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
Apache Struts is a framework for building web applications with Java.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method. A
remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
All struts users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. All running applications
using struts must be restarted for this update to take effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Updated struts packages that fix one security issue are now available for\nRed Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.", title: "Topic", }, { category: "general", text: "Apache Struts is a framework for building web applications with Java.\n\nIt was found that the Struts 1 ActionForm object allowed access to the\n'class' parameter, which is directly mapped to the getClass() method. A\nremote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nAll struts users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. All running applications\nusing struts must be restarted for this update to take effect.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0474", url: "https://access.redhat.com/errata/RHSA-2014:0474", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0474.json", }, ], title: "Red Hat Security Advisory: struts security update", tracking: { current_release_date: "2024-11-22T07:56:59+00:00", generator: { date: "2024-11-22T07:56:59+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2014:0474", initial_release_date: "2014-05-07T04:56:26+00:00", revision_history: [ { date: "2014-05-07T04:56:26+00:00", number: "1", summary: "Initial version", }, { date: "2014-05-07T04:56:26+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T07:56:59+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product: { name: "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:5::client_workstation", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux (v. 5 server)", product: { name: "Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:5::server", }, }, }, ], category: "product_family", name: "Red Hat Enterprise Linux", }, { branches: [ { category: "product_version", name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", product: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", product_id: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-debuginfo@1.2.9-4jpp.8.el5_10?arch=x86_64", }, }, }, { category: "product_version", name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", product: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", product_id: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-webapps-tomcat5@1.2.9-4jpp.8.el5_10?arch=x86_64", }, }, }, { category: "product_version", name: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", product: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", product_id: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-manual@1.2.9-4jpp.8.el5_10?arch=x86_64", }, }, }, { category: "product_version", name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", product: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", product_id: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-javadoc@1.2.9-4jpp.8.el5_10?arch=x86_64", }, }, }, { category: "product_version", name: "struts-0:1.2.9-4jpp.8.el5_10.x86_64", product: { name: "struts-0:1.2.9-4jpp.8.el5_10.x86_64", product_id: "struts-0:1.2.9-4jpp.8.el5_10.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", product: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", product_id: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/struts-debuginfo@1.2.9-4jpp.8.el5_10?arch=s390x", }, }, }, { category: "product_version", name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", product: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", product_id: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/struts-webapps-tomcat5@1.2.9-4jpp.8.el5_10?arch=s390x", }, }, }, { category: "product_version", name: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", product: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", product_id: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/struts-manual@1.2.9-4jpp.8.el5_10?arch=s390x", }, }, }, { category: "product_version", name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", product: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", product_id: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/struts-javadoc@1.2.9-4jpp.8.el5_10?arch=s390x", }, }, }, { category: "product_version", name: "struts-0:1.2.9-4jpp.8.el5_10.s390x", product: { name: "struts-0:1.2.9-4jpp.8.el5_10.s390x", product_id: "struts-0:1.2.9-4jpp.8.el5_10.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=s390x", }, }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", product: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", product_id: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-debuginfo@1.2.9-4jpp.8.el5_10?arch=ia64", }, }, }, { category: "product_version", name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", product: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", product_id: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-webapps-tomcat5@1.2.9-4jpp.8.el5_10?arch=ia64", }, }, }, { category: "product_version", name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", product: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", product_id: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-manual@1.2.9-4jpp.8.el5_10?arch=ia64", }, }, }, { category: "product_version", name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", product: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", product_id: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-javadoc@1.2.9-4jpp.8.el5_10?arch=ia64", }, }, }, { category: "product_version", name: "struts-0:1.2.9-4jpp.8.el5_10.ia64", product: { name: "struts-0:1.2.9-4jpp.8.el5_10.ia64", product_id: "struts-0:1.2.9-4jpp.8.el5_10.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=ia64", }, }, }, ], category: "architecture", name: "ia64", }, { branches: [ { category: "product_version", name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", product: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", product_id: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", product_identification_helper: { purl: "pkg:rpm/redhat/struts-debuginfo@1.2.9-4jpp.8.el5_10?arch=i386", }, }, }, { category: "product_version", name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", product: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", product_id: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", product_identification_helper: { purl: "pkg:rpm/redhat/struts-webapps-tomcat5@1.2.9-4jpp.8.el5_10?arch=i386", }, }, }, { category: "product_version", name: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386", product: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386", product_id: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386", product_identification_helper: { purl: "pkg:rpm/redhat/struts-manual@1.2.9-4jpp.8.el5_10?arch=i386", }, }, }, { category: "product_version", name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", product: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", product_id: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", product_identification_helper: { purl: "pkg:rpm/redhat/struts-javadoc@1.2.9-4jpp.8.el5_10?arch=i386", }, }, }, { category: "product_version", name: "struts-0:1.2.9-4jpp.8.el5_10.i386", product: { name: "struts-0:1.2.9-4jpp.8.el5_10.i386", product_id: "struts-0:1.2.9-4jpp.8.el5_10.i386", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=i386", }, }, }, ], category: "architecture", name: "i386", }, { branches: [ { category: "product_version", name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", product: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", product_id: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/struts-debuginfo@1.2.9-4jpp.8.el5_10?arch=ppc", }, }, }, { category: "product_version", name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", product: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", product_id: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/struts-webapps-tomcat5@1.2.9-4jpp.8.el5_10?arch=ppc", }, }, }, { category: "product_version", name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", product: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", product_id: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/struts-manual@1.2.9-4jpp.8.el5_10?arch=ppc", }, }, }, { category: "product_version", name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", product: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", product_id: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/struts-javadoc@1.2.9-4jpp.8.el5_10?arch=ppc", }, }, }, { category: "product_version", name: "struts-0:1.2.9-4jpp.8.el5_10.ppc", product: { name: "struts-0:1.2.9-4jpp.8.el5_10.ppc", product_id: "struts-0:1.2.9-4jpp.8.el5_10.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=ppc", }, }, }, ], category: "architecture", name: "ppc", }, { branches: [ { category: "product_version", name: "struts-0:1.2.9-4jpp.8.el5_10.src", product: { name: "struts-0:1.2.9-4jpp.8.el5_10.src", product_id: "struts-0:1.2.9-4jpp.8.el5_10.src", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.src", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.src as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.src", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Server-5.10.Z", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-05-07T04:56:26+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258", product_ids: [ "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0474", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, ], }
rhsa-2014_0498
Vulnerability from csaf_redhat
Published
2014-05-14 18:06
Modified
2024-11-22 07:57
Summary
Red Hat Security Advisory: Fuse ESB Enterprise 7.1.0 security update
Notes
Topic
Fuse ESB Enterprise 7.1.0 R1 P4 (Patch 4 on Rollup Patch 1), a security
update that addresses one security issue, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
Fuse ESB Enterprise is an integration platform based on Apache ServiceMix.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method.
A remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
Refer to the readme.txt file included with the patch files for
installation instructions.
All users of Fuse ESB Enterprise 7.1.0 as provided from the Red Hat
Customer Portal are advised to apply this security update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Fuse ESB Enterprise 7.1.0 R1 P4 (Patch 4 on Rollup Patch 1), a security\nupdate that addresses one security issue, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.", title: "Topic", }, { category: "general", text: "Fuse ESB Enterprise is an integration platform based on Apache ServiceMix.\n\nIt was found that the Struts 1 ActionForm object allowed access to the\n'class' parameter, which is directly mapped to the getClass() method.\nA remote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nRefer to the readme.txt file included with the patch files for\ninstallation instructions.\n\nAll users of Fuse ESB Enterprise 7.1.0 as provided from the Red Hat\nCustomer Portal are advised to apply this security update.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0498", url: "https://access.redhat.com/errata/RHSA-2014:0498", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise&downloadType=securityPatches&version=7.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise&downloadType=securityPatches&version=7.1.0", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0498.json", }, ], title: "Red Hat Security Advisory: Fuse ESB Enterprise 7.1.0 security update", tracking: { current_release_date: "2024-11-22T07:57:08+00:00", generator: { date: "2024-11-22T07:57:08+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2014:0498", initial_release_date: "2014-05-14T18:06:52+00:00", revision_history: [ { date: "2014-05-14T18:06:52+00:00", number: "1", summary: "Initial version", }, { date: "2014-05-14T18:06:52+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T07:57:08+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Fuse ESB Enterprise 7.1.0", product: { name: "Fuse ESB Enterprise 7.1.0", product_id: "Fuse ESB Enterprise 7.1.0", product_identification_helper: { cpe: "cpe:/a:redhat:fuse_esb_enterprise:7.1.0", }, }, }, ], category: "product_family", name: "Fuse Enterprise Middleware", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Fuse ESB Enterprise 7.1.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-05-14T18:06:52+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Fuse ESB Enterprise 7.1.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0498", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "Fuse ESB Enterprise 7.1.0", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Fuse ESB Enterprise 7.1.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, ], }
rhsa-2014_0500
Vulnerability from csaf_redhat
Published
2014-05-14 19:07
Modified
2024-11-22 07:56
Summary
Red Hat Security Advisory: struts security update
Notes
Topic
Updated struts packages that fix one security issue are now available for
Red Hat Network Satellite 5.4 and 5.5, and Red Hat Satellite 5.6.
The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
Red Hat Satellite is a systems management tool for Linux-based
infrastructures. It allows for provisioning, monitoring, and remote
management of multiple Linux deployments with a single, centralized tool.
Apache Struts is a framework for building web applications with Java.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method. A
remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
All Satellite users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. For this update to take
effect, the tomcat6 service must be restarted ("service tomcat6 restart").
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Updated struts packages that fix one security issue are now available for\nRed Hat Network Satellite 5.4 and 5.5, and Red Hat Satellite 5.6.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Satellite is a systems management tool for Linux-based\ninfrastructures. It allows for provisioning, monitoring, and remote\nmanagement of multiple Linux deployments with a single, centralized tool.\n\nApache Struts is a framework for building web applications with Java.\n\nIt was found that the Struts 1 ActionForm object allowed access to the\n'class' parameter, which is directly mapped to the getClass() method. A\nremote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nAll Satellite users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. For this update to take\neffect, the tomcat6 service must be restarted (\"service tomcat6 restart\").", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0500", url: "https://access.redhat.com/errata/RHSA-2014:0500", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0500.json", }, ], title: "Red Hat Security Advisory: struts security update", tracking: { current_release_date: "2024-11-22T07:56:59+00:00", generator: { date: "2024-11-22T07:56:59+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2014:0500", initial_release_date: "2014-05-14T19:07:42+00:00", revision_history: [ { date: "2014-05-14T19:07:42+00:00", number: "1", summary: "Initial version", }, { date: "2014-06-12T06:13:39+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T07:56:59+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Satellite 5.4 (RHEL v.6)", product: { name: "Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite", product_identification_helper: { cpe: "cpe:/a:redhat:network_satellite:5.4::el6", }, }, }, { category: "product_name", name: "Red Hat Satellite 5.5 (RHEL v.6)", product: { name: "Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55", product_identification_helper: { cpe: "cpe:/a:redhat:network_satellite:5.5::el6", }, }, }, { category: "product_name", name: "Red Hat Satellite 5.6 (RHEL v.6)", product: { name: "Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56", product_identification_helper: { cpe: "cpe:/a:redhat:network_satellite:5.6::el6", }, }, }, ], category: "product_family", name: "Red Hat Satellite", }, { branches: [ { category: "product_version", name: "struts-core-0:1.3.10-6.ep5.el6.noarch", product: { name: "struts-core-0:1.3.10-6.ep5.el6.noarch", product_id: "struts-core-0:1.3.10-6.ep5.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/struts-core@1.3.10-6.ep5.el6?arch=noarch", }, }, }, { category: "product_version", name: "struts-0:1.3.10-6.ep5.el6.noarch", product: { name: "struts-0:1.3.10-6.ep5.el6.noarch", product_id: "struts-0:1.3.10-6.ep5.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.3.10-6.ep5.el6?arch=noarch", }, }, }, { category: "product_version", name: "struts-tiles-0:1.3.10-6.ep5.el6.noarch", product: { name: "struts-tiles-0:1.3.10-6.ep5.el6.noarch", product_id: "struts-tiles-0:1.3.10-6.ep5.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/struts-tiles@1.3.10-6.ep5.el6?arch=noarch", }, }, }, { category: "product_version", name: "struts-extras-0:1.3.10-6.ep5.el6.noarch", product: { name: "struts-extras-0:1.3.10-6.ep5.el6.noarch", product_id: "struts-extras-0:1.3.10-6.ep5.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/struts-extras@1.3.10-6.ep5.el6?arch=noarch", }, }, }, { category: "product_version", name: "struts-taglib-0:1.3.10-6.ep5.el6.noarch", product: { name: "struts-taglib-0:1.3.10-6.ep5.el6.noarch", product_id: "struts-taglib-0:1.3.10-6.ep5.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/struts-taglib@1.3.10-6.ep5.el6?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "struts-0:1.3.10-6.ep5.el6.src", product: { name: "struts-0:1.3.10-6.ep5.el6.src", product_id: "struts-0:1.3.10-6.ep5.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.3.10-6.ep5.el6?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "struts-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite55", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.3.10-6.ep5.el6.src as a component of Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.src", }, product_reference: "struts-0:1.3.10-6.ep5.el6.src", relates_to_product_reference: "6Server-Satellite55", }, { category: "default_component_of", full_product_name: { name: "struts-core-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55:struts-core-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-core-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite55", }, { category: "default_component_of", full_product_name: { name: "struts-extras-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55:struts-extras-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-extras-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite55", }, { category: "default_component_of", full_product_name: { name: "struts-taglib-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55:struts-taglib-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-taglib-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite55", }, { category: "default_component_of", full_product_name: { name: "struts-tiles-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55:struts-tiles-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-tiles-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite55", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite56", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.3.10-6.ep5.el6.src as a component of Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.src", }, product_reference: "struts-0:1.3.10-6.ep5.el6.src", relates_to_product_reference: "6Server-Satellite56", }, { category: "default_component_of", full_product_name: { name: "struts-core-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56:struts-core-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-core-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite56", }, { category: "default_component_of", full_product_name: { name: "struts-extras-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56:struts-extras-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-extras-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite56", }, { category: "default_component_of", full_product_name: { name: "struts-taglib-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56:struts-taglib-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-taglib-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite56", }, { category: "default_component_of", full_product_name: { name: "struts-tiles-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56:struts-tiles-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-tiles-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite56", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.3.10-6.ep5.el6.src as a component of Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.src", }, product_reference: "struts-0:1.3.10-6.ep5.el6.src", relates_to_product_reference: "6Server-Satellite", }, { category: "default_component_of", full_product_name: { name: "struts-core-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite:struts-core-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-core-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite", }, { category: "default_component_of", full_product_name: { name: "struts-extras-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite:struts-extras-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-extras-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite", }, { category: "default_component_of", full_product_name: { name: "struts-taglib-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite:struts-taglib-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-taglib-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite", }, { category: "default_component_of", full_product_name: { name: "struts-tiles-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite:struts-tiles-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-tiles-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite55:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite56:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-tiles-0:1.3.10-6.ep5.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-05-14T19:07:42+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258", product_ids: [ "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite55:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite56:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-tiles-0:1.3.10-6.ep5.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0500", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite55:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite56:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-tiles-0:1.3.10-6.ep5.el6.noarch", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite55:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite56:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-tiles-0:1.3.10-6.ep5.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, ], }
rhsa-2014:0500
Vulnerability from csaf_redhat
Published
2014-05-14 19:07
Modified
2024-11-22 07:56
Summary
Red Hat Security Advisory: struts security update
Notes
Topic
Updated struts packages that fix one security issue are now available for
Red Hat Network Satellite 5.4 and 5.5, and Red Hat Satellite 5.6.
The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
Red Hat Satellite is a systems management tool for Linux-based
infrastructures. It allows for provisioning, monitoring, and remote
management of multiple Linux deployments with a single, centralized tool.
Apache Struts is a framework for building web applications with Java.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method. A
remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
All Satellite users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. For this update to take
effect, the tomcat6 service must be restarted ("service tomcat6 restart").
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Updated struts packages that fix one security issue are now available for\nRed Hat Network Satellite 5.4 and 5.5, and Red Hat Satellite 5.6.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Satellite is a systems management tool for Linux-based\ninfrastructures. It allows for provisioning, monitoring, and remote\nmanagement of multiple Linux deployments with a single, centralized tool.\n\nApache Struts is a framework for building web applications with Java.\n\nIt was found that the Struts 1 ActionForm object allowed access to the\n'class' parameter, which is directly mapped to the getClass() method. A\nremote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nAll Satellite users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. For this update to take\neffect, the tomcat6 service must be restarted (\"service tomcat6 restart\").", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0500", url: "https://access.redhat.com/errata/RHSA-2014:0500", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0500.json", }, ], title: "Red Hat Security Advisory: struts security update", tracking: { current_release_date: "2024-11-22T07:56:59+00:00", generator: { date: "2024-11-22T07:56:59+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2014:0500", initial_release_date: "2014-05-14T19:07:42+00:00", revision_history: [ { date: "2014-05-14T19:07:42+00:00", number: "1", summary: "Initial version", }, { date: "2014-06-12T06:13:39+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T07:56:59+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Satellite 5.4 (RHEL v.6)", product: { name: "Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite", product_identification_helper: { cpe: "cpe:/a:redhat:network_satellite:5.4::el6", }, }, }, { category: "product_name", name: "Red Hat Satellite 5.5 (RHEL v.6)", product: { name: "Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55", product_identification_helper: { cpe: "cpe:/a:redhat:network_satellite:5.5::el6", }, }, }, { category: "product_name", name: "Red Hat Satellite 5.6 (RHEL v.6)", product: { name: "Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56", product_identification_helper: { cpe: "cpe:/a:redhat:network_satellite:5.6::el6", }, }, }, ], category: "product_family", name: "Red Hat Satellite", }, { branches: [ { category: "product_version", name: "struts-core-0:1.3.10-6.ep5.el6.noarch", product: { name: "struts-core-0:1.3.10-6.ep5.el6.noarch", product_id: "struts-core-0:1.3.10-6.ep5.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/struts-core@1.3.10-6.ep5.el6?arch=noarch", }, }, }, { category: "product_version", name: "struts-0:1.3.10-6.ep5.el6.noarch", product: { name: "struts-0:1.3.10-6.ep5.el6.noarch", product_id: "struts-0:1.3.10-6.ep5.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.3.10-6.ep5.el6?arch=noarch", }, }, }, { category: "product_version", name: "struts-tiles-0:1.3.10-6.ep5.el6.noarch", product: { name: "struts-tiles-0:1.3.10-6.ep5.el6.noarch", product_id: "struts-tiles-0:1.3.10-6.ep5.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/struts-tiles@1.3.10-6.ep5.el6?arch=noarch", }, }, }, { category: "product_version", name: "struts-extras-0:1.3.10-6.ep5.el6.noarch", product: { name: "struts-extras-0:1.3.10-6.ep5.el6.noarch", product_id: "struts-extras-0:1.3.10-6.ep5.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/struts-extras@1.3.10-6.ep5.el6?arch=noarch", }, }, }, { category: "product_version", name: "struts-taglib-0:1.3.10-6.ep5.el6.noarch", product: { name: "struts-taglib-0:1.3.10-6.ep5.el6.noarch", product_id: "struts-taglib-0:1.3.10-6.ep5.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/struts-taglib@1.3.10-6.ep5.el6?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "struts-0:1.3.10-6.ep5.el6.src", product: { name: "struts-0:1.3.10-6.ep5.el6.src", product_id: "struts-0:1.3.10-6.ep5.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.3.10-6.ep5.el6?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "struts-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite55", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.3.10-6.ep5.el6.src as a component of Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.src", }, product_reference: "struts-0:1.3.10-6.ep5.el6.src", relates_to_product_reference: "6Server-Satellite55", }, { category: "default_component_of", full_product_name: { name: "struts-core-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55:struts-core-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-core-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite55", }, { category: "default_component_of", full_product_name: { name: "struts-extras-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55:struts-extras-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-extras-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite55", }, { category: "default_component_of", full_product_name: { name: "struts-taglib-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55:struts-taglib-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-taglib-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite55", }, { category: "default_component_of", full_product_name: { name: "struts-tiles-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55:struts-tiles-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-tiles-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite55", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite56", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.3.10-6.ep5.el6.src as a component of Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.src", }, product_reference: "struts-0:1.3.10-6.ep5.el6.src", relates_to_product_reference: "6Server-Satellite56", }, { category: "default_component_of", full_product_name: { name: "struts-core-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56:struts-core-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-core-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite56", }, { category: "default_component_of", full_product_name: { name: "struts-extras-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56:struts-extras-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-extras-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite56", }, { category: "default_component_of", full_product_name: { name: "struts-taglib-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56:struts-taglib-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-taglib-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite56", }, { category: "default_component_of", full_product_name: { name: "struts-tiles-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56:struts-tiles-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-tiles-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite56", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.3.10-6.ep5.el6.src as a component of Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.src", }, product_reference: "struts-0:1.3.10-6.ep5.el6.src", relates_to_product_reference: "6Server-Satellite", }, { category: "default_component_of", full_product_name: { name: "struts-core-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite:struts-core-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-core-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite", }, { category: "default_component_of", full_product_name: { name: "struts-extras-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite:struts-extras-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-extras-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite", }, { category: "default_component_of", full_product_name: { name: "struts-taglib-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite:struts-taglib-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-taglib-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite", }, { category: "default_component_of", full_product_name: { name: "struts-tiles-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite:struts-tiles-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-tiles-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite55:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite56:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-tiles-0:1.3.10-6.ep5.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-05-14T19:07:42+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258", product_ids: [ "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite55:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite56:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-tiles-0:1.3.10-6.ep5.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0500", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite55:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite56:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-tiles-0:1.3.10-6.ep5.el6.noarch", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite55:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite56:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-tiles-0:1.3.10-6.ep5.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, ], }
RHSA-2014:0511
Vulnerability from csaf_redhat
Published
2014-05-15 17:18
Modified
2025-02-02 19:39
Summary
Red Hat Security Advisory: Red Hat JBoss Operations Network 3.2.1 security update
Notes
Topic
An update for Red Hat JBoss Operations Network 3.2.1, which fixes two
security issues, is now available from the Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having
Important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Red Hat JBoss Operations Network is a middleware management solution that
provides a single point of control to deploy, manage, and monitor JBoss
Enterprise Middleware, applications, and services.
Apache Struts is a framework for building web applications with Java.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method. A
remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
It was found that when JBoss Web processed a series of HTTP requests in
which at least one request contained either multiple content-length
headers, or one content-length header with a chunked transfer-encoding
header, JBoss Web would incorrectly handle the request. A remote attacker
could use this flaw to poison a web cache, perform cross-site scripting
(XSS) attacks, or obtain sensitive information from other requests.
(CVE-2013-4286)
All users of JBoss Operations Network 3.2.1 as provided from the Red Hat
Customer Portal are advised to apply this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for Red Hat JBoss Operations Network 3.2.1, which fixes two\nsecurity issues, is now available from the Red Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Operations Network is a middleware management solution that\nprovides a single point of control to deploy, manage, and monitor JBoss\nEnterprise Middleware, applications, and services.\n\nApache Struts is a framework for building web applications with Java.\n\nIt was found that the Struts 1 ActionForm object allowed access to the\n'class' parameter, which is directly mapped to the getClass() method. A\nremote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nIt was found that when JBoss Web processed a series of HTTP requests in\nwhich at least one request contained either multiple content-length\nheaders, or one content-length header with a chunked transfer-encoding\nheader, JBoss Web would incorrectly handle the request. A remote attacker\ncould use this flaw to poison a web cache, perform cross-site scripting\n(XSS) attacks, or obtain sensitive information from other requests.\n(CVE-2013-4286)\n\nAll users of JBoss Operations Network 3.2.1 as provided from the Red Hat\nCustomer Portal are advised to apply this update.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0511", url: "https://access.redhat.com/errata/RHSA-2014:0511", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=em&version=3.2.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=em&version=3.2.0", }, { category: "external", summary: "1069921", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1069921", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0511.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Operations Network 3.2.1 security update", tracking: { current_release_date: "2025-02-02T19:39:53+00:00", generator: { date: "2025-02-02T19:39:53+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.6", }, }, id: "RHSA-2014:0511", initial_release_date: "2014-05-15T17:18:12+00:00", revision_history: [ { date: "2014-05-15T17:18:12+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:33:11+00:00", number: "2", summary: "Last updated version", }, { date: "2025-02-02T19:39:53+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Operations Network 3.2", product: { name: "Red Hat JBoss Operations Network 3.2", product_id: "Red Hat JBoss Operations Network 3.2", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_operations_network:3.2.1", }, }, }, ], category: "product_family", name: "Red Hat JBoss Operations Network", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2013-4286", discovery_date: "2014-02-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1069921", }, ], notes: [ { category: "description", text: "It was found that when Tomcat / JBoss Web processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat / JBoss Web would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: multiple content-length header poisoning flaws", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Operations Network 3.2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-4286", }, { category: "external", summary: "RHBZ#1069921", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1069921", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-4286", url: "https://www.cve.org/CVERecord?id=CVE-2013-4286", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-4286", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-4286", }, ], release_date: "2014-02-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-05-15T17:18:12+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Operations Network installation (including its databases,\napplications, configuration files, the JBoss Operations Network server's\nfile system directory, and so on).\n\nRefer to the \"Manual Instructions\" section of the release description,\navailable from the Customer Portal for this update, for installation\ninformation.", product_ids: [ "Red Hat JBoss Operations Network 3.2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0511", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss Operations Network 3.2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: multiple content-length header poisoning flaws", }, { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Operations Network 3.2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-05-15T17:18:12+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Operations Network installation (including its databases,\napplications, configuration files, the JBoss Operations Network server's\nfile system directory, and so on).\n\nRefer to the \"Manual Instructions\" section of the release description,\navailable from the Customer Portal for this update, for installation\ninformation.", product_ids: [ "Red Hat JBoss Operations Network 3.2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0511", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "Red Hat JBoss Operations Network 3.2", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss Operations Network 3.2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, ], }
rhsa-2019:2995
Vulnerability from csaf_redhat
Published
2019-10-10 07:20
Modified
2024-11-22 07:56
Summary
Red Hat Security Advisory: Red Hat A-MQ Broker 7.5 release and security update
Notes
Topic
Red Hat A-MQ Broker 7.5 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms.
This release of Red Hat A-MQ Broker 7.5.0 serves as a replacement for Red Hat A-MQ Broker 7.4.1, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.
Security Fix(es):
* Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat A-MQ Broker 7.5 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. \n\nThis release of Red Hat A-MQ Broker 7.5.0 serves as a replacement for Red Hat A-MQ Broker 7.4.1, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2019:2995", url: "https://access.redhat.com/errata/RHSA-2019:2995", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.broker&version=7.5.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.broker&version=7.5.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_amq/7.5/", url: "https://access.redhat.com/documentation/en-us/red_hat_amq/7.5/", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "ENTMQBR-2849", url: "https://issues.redhat.com/browse/ENTMQBR-2849", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2995.json", }, ], title: "Red Hat Security Advisory: Red Hat A-MQ Broker 7.5 release and security update", tracking: { current_release_date: "2024-11-22T07:56:48+00:00", generator: { date: "2024-11-22T07:56:48+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2019:2995", initial_release_date: "2019-10-10T07:20:12+00:00", revision_history: [ { date: "2019-10-10T07:20:12+00:00", number: "1", summary: "Initial version", }, { date: "2019-10-10T07:20:12+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T07:56:48+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat AMQ Broker 7", product: { name: "Red Hat AMQ Broker 7", product_id: "Red Hat AMQ Broker 7", product_identification_helper: { cpe: "cpe:/a:redhat:amq_broker:7", }, }, }, ], category: "product_family", name: "Red Hat JBoss AMQ", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Broker 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-10-10T07:20:12+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Broker 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:2995", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "Red Hat AMQ Broker 7", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat AMQ Broker 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, ], }
RHSA-2019:2995
Vulnerability from csaf_redhat
Published
2019-10-10 07:20
Modified
2024-11-22 07:56
Summary
Red Hat Security Advisory: Red Hat A-MQ Broker 7.5 release and security update
Notes
Topic
Red Hat A-MQ Broker 7.5 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms.
This release of Red Hat A-MQ Broker 7.5.0 serves as a replacement for Red Hat A-MQ Broker 7.4.1, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.
Security Fix(es):
* Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat A-MQ Broker 7.5 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. \n\nThis release of Red Hat A-MQ Broker 7.5.0 serves as a replacement for Red Hat A-MQ Broker 7.4.1, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2019:2995", url: "https://access.redhat.com/errata/RHSA-2019:2995", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.broker&version=7.5.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.broker&version=7.5.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_amq/7.5/", url: "https://access.redhat.com/documentation/en-us/red_hat_amq/7.5/", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "ENTMQBR-2849", url: "https://issues.redhat.com/browse/ENTMQBR-2849", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2995.json", }, ], title: "Red Hat Security Advisory: Red Hat A-MQ Broker 7.5 release and security update", tracking: { current_release_date: "2024-11-22T07:56:48+00:00", generator: { date: "2024-11-22T07:56:48+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2019:2995", initial_release_date: "2019-10-10T07:20:12+00:00", revision_history: [ { date: "2019-10-10T07:20:12+00:00", number: "1", summary: "Initial version", }, { date: "2019-10-10T07:20:12+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T07:56:48+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat AMQ Broker 7", product: { name: "Red Hat AMQ Broker 7", product_id: "Red Hat AMQ Broker 7", product_identification_helper: { cpe: "cpe:/a:redhat:amq_broker:7", }, }, }, ], category: "product_family", name: "Red Hat JBoss AMQ", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Broker 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-10-10T07:20:12+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Broker 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:2995", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "Red Hat AMQ Broker 7", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat AMQ Broker 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, ], }
rhsa-2014_0474
Vulnerability from csaf_redhat
Published
2014-05-07 04:56
Modified
2024-11-22 07:56
Summary
Red Hat Security Advisory: struts security update
Notes
Topic
Updated struts packages that fix one security issue are now available for
Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
Apache Struts is a framework for building web applications with Java.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method. A
remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
All struts users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. All running applications
using struts must be restarted for this update to take effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Updated struts packages that fix one security issue are now available for\nRed Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.", title: "Topic", }, { category: "general", text: "Apache Struts is a framework for building web applications with Java.\n\nIt was found that the Struts 1 ActionForm object allowed access to the\n'class' parameter, which is directly mapped to the getClass() method. A\nremote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nAll struts users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. All running applications\nusing struts must be restarted for this update to take effect.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0474", url: "https://access.redhat.com/errata/RHSA-2014:0474", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0474.json", }, ], title: "Red Hat Security Advisory: struts security update", tracking: { current_release_date: "2024-11-22T07:56:59+00:00", generator: { date: "2024-11-22T07:56:59+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2014:0474", initial_release_date: "2014-05-07T04:56:26+00:00", revision_history: [ { date: "2014-05-07T04:56:26+00:00", number: "1", summary: "Initial version", }, { date: "2014-05-07T04:56:26+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T07:56:59+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product: { name: "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:5::client_workstation", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux (v. 5 server)", product: { name: "Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:5::server", }, }, }, ], category: "product_family", name: "Red Hat Enterprise Linux", }, { branches: [ { category: "product_version", name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", product: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", product_id: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-debuginfo@1.2.9-4jpp.8.el5_10?arch=x86_64", }, }, }, { category: "product_version", name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", product: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", product_id: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-webapps-tomcat5@1.2.9-4jpp.8.el5_10?arch=x86_64", }, }, }, { category: "product_version", name: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", product: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", product_id: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-manual@1.2.9-4jpp.8.el5_10?arch=x86_64", }, }, }, { category: "product_version", name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", product: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", product_id: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-javadoc@1.2.9-4jpp.8.el5_10?arch=x86_64", }, }, }, { category: "product_version", name: "struts-0:1.2.9-4jpp.8.el5_10.x86_64", product: { name: "struts-0:1.2.9-4jpp.8.el5_10.x86_64", product_id: "struts-0:1.2.9-4jpp.8.el5_10.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", product: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", product_id: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/struts-debuginfo@1.2.9-4jpp.8.el5_10?arch=s390x", }, }, }, { category: "product_version", name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", product: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", product_id: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/struts-webapps-tomcat5@1.2.9-4jpp.8.el5_10?arch=s390x", }, }, }, { category: "product_version", name: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", product: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", product_id: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/struts-manual@1.2.9-4jpp.8.el5_10?arch=s390x", }, }, }, { category: "product_version", name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", product: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", product_id: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/struts-javadoc@1.2.9-4jpp.8.el5_10?arch=s390x", }, }, }, { category: "product_version", name: "struts-0:1.2.9-4jpp.8.el5_10.s390x", product: { name: "struts-0:1.2.9-4jpp.8.el5_10.s390x", product_id: "struts-0:1.2.9-4jpp.8.el5_10.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=s390x", }, }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", product: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", product_id: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-debuginfo@1.2.9-4jpp.8.el5_10?arch=ia64", }, }, }, { category: "product_version", name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", product: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", product_id: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-webapps-tomcat5@1.2.9-4jpp.8.el5_10?arch=ia64", }, }, }, { category: "product_version", name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", product: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", product_id: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-manual@1.2.9-4jpp.8.el5_10?arch=ia64", }, }, }, { category: "product_version", name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", product: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", product_id: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/struts-javadoc@1.2.9-4jpp.8.el5_10?arch=ia64", }, }, }, { category: "product_version", name: "struts-0:1.2.9-4jpp.8.el5_10.ia64", product: { name: "struts-0:1.2.9-4jpp.8.el5_10.ia64", product_id: "struts-0:1.2.9-4jpp.8.el5_10.ia64", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=ia64", }, }, }, ], category: "architecture", name: "ia64", }, { branches: [ { category: "product_version", name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", product: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", product_id: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", product_identification_helper: { purl: "pkg:rpm/redhat/struts-debuginfo@1.2.9-4jpp.8.el5_10?arch=i386", }, }, }, { category: "product_version", name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", product: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", product_id: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", product_identification_helper: { purl: "pkg:rpm/redhat/struts-webapps-tomcat5@1.2.9-4jpp.8.el5_10?arch=i386", }, }, }, { category: "product_version", name: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386", product: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386", product_id: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386", product_identification_helper: { purl: "pkg:rpm/redhat/struts-manual@1.2.9-4jpp.8.el5_10?arch=i386", }, }, }, { category: "product_version", name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", product: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", product_id: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", product_identification_helper: { purl: "pkg:rpm/redhat/struts-javadoc@1.2.9-4jpp.8.el5_10?arch=i386", }, }, }, { category: "product_version", name: "struts-0:1.2.9-4jpp.8.el5_10.i386", product: { name: "struts-0:1.2.9-4jpp.8.el5_10.i386", product_id: "struts-0:1.2.9-4jpp.8.el5_10.i386", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=i386", }, }, }, ], category: "architecture", name: "i386", }, { branches: [ { category: "product_version", name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", product: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", product_id: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/struts-debuginfo@1.2.9-4jpp.8.el5_10?arch=ppc", }, }, }, { category: "product_version", name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", product: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", product_id: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/struts-webapps-tomcat5@1.2.9-4jpp.8.el5_10?arch=ppc", }, }, }, { category: "product_version", name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", product: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", product_id: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/struts-manual@1.2.9-4jpp.8.el5_10?arch=ppc", }, }, }, { category: "product_version", name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", product: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", product_id: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/struts-javadoc@1.2.9-4jpp.8.el5_10?arch=ppc", }, }, }, { category: "product_version", name: "struts-0:1.2.9-4jpp.8.el5_10.ppc", product: { name: "struts-0:1.2.9-4jpp.8.el5_10.ppc", product_id: "struts-0:1.2.9-4jpp.8.el5_10.ppc", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=ppc", }, }, }, ], category: "architecture", name: "ppc", }, { branches: [ { category: "product_version", name: "struts-0:1.2.9-4jpp.8.el5_10.src", product: { name: "struts-0:1.2.9-4jpp.8.el5_10.src", product_id: "struts-0:1.2.9-4jpp.8.el5_10.src", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.2.9-4jpp.8.el5_10?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.src", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)", product_id: "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Client-Workstation-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.src as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.src", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", relates_to_product_reference: "5Server-5.10.Z", }, { category: "default_component_of", full_product_name: { name: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64 as a component of Red Hat Enterprise Linux (v. 5 server)", product_id: "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", }, product_reference: "struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", relates_to_product_reference: "5Server-5.10.Z", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-05-07T04:56:26+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258", product_ids: [ "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0474", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Client-Workstation-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Client-Workstation-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.src", "5Server-5.10.Z:struts-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-debuginfo-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-javadoc-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-manual-0:1.2.9-4jpp.8.el5_10.x86_64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.i386", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ia64", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.ppc", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.s390x", "5Server-5.10.Z:struts-webapps-tomcat5-0:1.2.9-4jpp.8.el5_10.x86_64", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, ], }
RHSA-2014:0500
Vulnerability from csaf_redhat
Published
2014-05-14 19:07
Modified
2024-11-22 07:56
Summary
Red Hat Security Advisory: struts security update
Notes
Topic
Updated struts packages that fix one security issue are now available for
Red Hat Network Satellite 5.4 and 5.5, and Red Hat Satellite 5.6.
The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
Red Hat Satellite is a systems management tool for Linux-based
infrastructures. It allows for provisioning, monitoring, and remote
management of multiple Linux deployments with a single, centralized tool.
Apache Struts is a framework for building web applications with Java.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method. A
remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
All Satellite users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. For this update to take
effect, the tomcat6 service must be restarted ("service tomcat6 restart").
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Updated struts packages that fix one security issue are now available for\nRed Hat Network Satellite 5.4 and 5.5, and Red Hat Satellite 5.6.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Satellite is a systems management tool for Linux-based\ninfrastructures. It allows for provisioning, monitoring, and remote\nmanagement of multiple Linux deployments with a single, centralized tool.\n\nApache Struts is a framework for building web applications with Java.\n\nIt was found that the Struts 1 ActionForm object allowed access to the\n'class' parameter, which is directly mapped to the getClass() method. A\nremote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nAll Satellite users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. For this update to take\neffect, the tomcat6 service must be restarted (\"service tomcat6 restart\").", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0500", url: "https://access.redhat.com/errata/RHSA-2014:0500", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0500.json", }, ], title: "Red Hat Security Advisory: struts security update", tracking: { current_release_date: "2024-11-22T07:56:59+00:00", generator: { date: "2024-11-22T07:56:59+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2014:0500", initial_release_date: "2014-05-14T19:07:42+00:00", revision_history: [ { date: "2014-05-14T19:07:42+00:00", number: "1", summary: "Initial version", }, { date: "2014-06-12T06:13:39+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T07:56:59+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Satellite 5.4 (RHEL v.6)", product: { name: "Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite", product_identification_helper: { cpe: "cpe:/a:redhat:network_satellite:5.4::el6", }, }, }, { category: "product_name", name: "Red Hat Satellite 5.5 (RHEL v.6)", product: { name: "Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55", product_identification_helper: { cpe: "cpe:/a:redhat:network_satellite:5.5::el6", }, }, }, { category: "product_name", name: "Red Hat Satellite 5.6 (RHEL v.6)", product: { name: "Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56", product_identification_helper: { cpe: "cpe:/a:redhat:network_satellite:5.6::el6", }, }, }, ], category: "product_family", name: "Red Hat Satellite", }, { branches: [ { category: "product_version", name: "struts-core-0:1.3.10-6.ep5.el6.noarch", product: { name: "struts-core-0:1.3.10-6.ep5.el6.noarch", product_id: "struts-core-0:1.3.10-6.ep5.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/struts-core@1.3.10-6.ep5.el6?arch=noarch", }, }, }, { category: "product_version", name: "struts-0:1.3.10-6.ep5.el6.noarch", product: { name: "struts-0:1.3.10-6.ep5.el6.noarch", product_id: "struts-0:1.3.10-6.ep5.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.3.10-6.ep5.el6?arch=noarch", }, }, }, { category: "product_version", name: "struts-tiles-0:1.3.10-6.ep5.el6.noarch", product: { name: "struts-tiles-0:1.3.10-6.ep5.el6.noarch", product_id: "struts-tiles-0:1.3.10-6.ep5.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/struts-tiles@1.3.10-6.ep5.el6?arch=noarch", }, }, }, { category: "product_version", name: "struts-extras-0:1.3.10-6.ep5.el6.noarch", product: { name: "struts-extras-0:1.3.10-6.ep5.el6.noarch", product_id: "struts-extras-0:1.3.10-6.ep5.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/struts-extras@1.3.10-6.ep5.el6?arch=noarch", }, }, }, { category: "product_version", name: "struts-taglib-0:1.3.10-6.ep5.el6.noarch", product: { name: "struts-taglib-0:1.3.10-6.ep5.el6.noarch", product_id: "struts-taglib-0:1.3.10-6.ep5.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/struts-taglib@1.3.10-6.ep5.el6?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "struts-0:1.3.10-6.ep5.el6.src", product: { name: "struts-0:1.3.10-6.ep5.el6.src", product_id: "struts-0:1.3.10-6.ep5.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/struts@1.3.10-6.ep5.el6?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "struts-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite55", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.3.10-6.ep5.el6.src as a component of Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.src", }, product_reference: "struts-0:1.3.10-6.ep5.el6.src", relates_to_product_reference: "6Server-Satellite55", }, { category: "default_component_of", full_product_name: { name: "struts-core-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55:struts-core-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-core-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite55", }, { category: "default_component_of", full_product_name: { name: "struts-extras-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55:struts-extras-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-extras-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite55", }, { category: "default_component_of", full_product_name: { name: "struts-taglib-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55:struts-taglib-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-taglib-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite55", }, { category: "default_component_of", full_product_name: { name: "struts-tiles-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.5 (RHEL v.6)", product_id: "6Server-Satellite55:struts-tiles-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-tiles-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite55", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite56", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.3.10-6.ep5.el6.src as a component of Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.src", }, product_reference: "struts-0:1.3.10-6.ep5.el6.src", relates_to_product_reference: "6Server-Satellite56", }, { category: "default_component_of", full_product_name: { name: "struts-core-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56:struts-core-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-core-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite56", }, { category: "default_component_of", full_product_name: { name: "struts-extras-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56:struts-extras-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-extras-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite56", }, { category: "default_component_of", full_product_name: { name: "struts-taglib-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56:struts-taglib-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-taglib-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite56", }, { category: "default_component_of", full_product_name: { name: "struts-tiles-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.6 (RHEL v.6)", product_id: "6Server-Satellite56:struts-tiles-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-tiles-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite56", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite", }, { category: "default_component_of", full_product_name: { name: "struts-0:1.3.10-6.ep5.el6.src as a component of Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.src", }, product_reference: "struts-0:1.3.10-6.ep5.el6.src", relates_to_product_reference: "6Server-Satellite", }, { category: "default_component_of", full_product_name: { name: "struts-core-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite:struts-core-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-core-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite", }, { category: "default_component_of", full_product_name: { name: "struts-extras-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite:struts-extras-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-extras-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite", }, { category: "default_component_of", full_product_name: { name: "struts-taglib-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite:struts-taglib-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-taglib-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite", }, { category: "default_component_of", full_product_name: { name: "struts-tiles-0:1.3.10-6.ep5.el6.noarch as a component of Red Hat Satellite 5.4 (RHEL v.6)", product_id: "6Server-Satellite:struts-tiles-0:1.3.10-6.ep5.el6.noarch", }, product_reference: "struts-tiles-0:1.3.10-6.ep5.el6.noarch", relates_to_product_reference: "6Server-Satellite", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite55:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite56:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-tiles-0:1.3.10-6.ep5.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-05-14T19:07:42+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258", product_ids: [ "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite55:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite56:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-tiles-0:1.3.10-6.ep5.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0500", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite55:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite56:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-tiles-0:1.3.10-6.ep5.el6.noarch", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite55:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite55:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite56:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite56:struts-tiles-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-0:1.3.10-6.ep5.el6.src", "6Server-Satellite:struts-core-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-extras-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-taglib-0:1.3.10-6.ep5.el6.noarch", "6Server-Satellite:struts-tiles-0:1.3.10-6.ep5.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, ], }
rhsa-2018:2669
Vulnerability from csaf_redhat
Published
2018-09-11 07:53
Modified
2025-02-03 19:30
Summary
Red Hat Security Advisory: Fuse 7.1 security update
Notes
Topic
An update is now available for Red Hat Fuse.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.
This release of Red Hat Fuse 7.1 serves as a replacement for Red Hat Fuse 7.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)
* thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands (CVE-2016-5397)
* slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)
* jolokia: JMX proxy mode vulnerable to remote code execution (CVE-2018-1000130)
* bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data (CVE-2016-1000338)
* bouncycastle: Information leak in AESFastEngine class (CVE-2016-1000339)
* bouncycastle: Information exposure in DSA signature generation via timing attack (CVE-2016-1000341)
* bouncycastle: ECDSA improper validation of ASN.1 encoding of signature (CVE-2016-1000342)
* bouncycastle: DHIES implementation allowed the use of ECB mode (CVE-2016-1000344)
* bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack (CVE-2016-1000345)
* bouncycastle: Other party DH public keys are not fully validated (CVE-2016-1000346)
* bouncycastle: ECIES implementation allowed the use of ECB mode (CVE-2016-1000352)
* async-http-client: Invalid URL parsing with '?' (CVE-2017-14063)
* undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service (CVE-2018-1114)
* spring-framework: Directory traversal vulnerability with static resources on Windows filesystems (CVE-2018-1271)
* tika: Infinite loop in BPGParser can allow remote attacker to cause a denial of service (CVE-2018-1338)
* tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service (CVE-2018-1339)
* pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF (CVE-2018-8036)
* jolokia: Cross site scripting in the HTTP servlet (CVE-2018-1000129)
* bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180)
* bouncycastle: Carry propagation bug in math.raw.Nat??? class (CVE-2016-1000340)
* bouncycastle: DSA key pair generator generates a weak private key by default (CVE-2016-1000343)
* spring-framework: Multipart content pollution (CVE-2018-1272)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank Chris McCown for reporting CVE-2018-8088.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat Fuse.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.\n\nThis release of Red Hat Fuse 7.1 serves as a replacement for Red Hat Fuse 7.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)\n\n* thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands (CVE-2016-5397)\n\n* slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)\n\n* jolokia: JMX proxy mode vulnerable to remote code execution (CVE-2018-1000130)\n\n* bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data (CVE-2016-1000338)\n\n* bouncycastle: Information leak in AESFastEngine class (CVE-2016-1000339)\n\n* bouncycastle: Information exposure in DSA signature generation via timing attack (CVE-2016-1000341)\n\n* bouncycastle: ECDSA improper validation of ASN.1 encoding of signature (CVE-2016-1000342)\n\n* bouncycastle: DHIES implementation allowed the use of ECB mode (CVE-2016-1000344)\n\n* bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack (CVE-2016-1000345)\n\n* bouncycastle: Other party DH public keys are not fully validated (CVE-2016-1000346)\n\n* bouncycastle: ECIES implementation allowed the use of ECB mode (CVE-2016-1000352)\n\n* async-http-client: Invalid URL parsing with '?' (CVE-2017-14063)\n\n* undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service (CVE-2018-1114)\n\n* spring-framework: Directory traversal vulnerability with static resources on Windows filesystems (CVE-2018-1271)\n\n* tika: Infinite loop in BPGParser can allow remote attacker to cause a denial of service (CVE-2018-1338)\n\n* tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service (CVE-2018-1339)\n\n* pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF (CVE-2018-8036)\n\n* jolokia: Cross site scripting in the HTTP servlet (CVE-2018-1000129)\n\n* bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180)\n\n* bouncycastle: Carry propagation bug in math.raw.Nat??? class (CVE-2016-1000340)\n\n* bouncycastle: DSA key pair generator generates a weak private key by default (CVE-2016-1000343)\n\n* spring-framework: Multipart content pollution (CVE-2018-1272)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Chris McCown for reporting CVE-2018-8088.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2018:2669", url: "https://access.redhat.com/errata/RHSA-2018:2669", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=7.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=7.1.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.1/", url: "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.1/", }, { category: "external", summary: "https://access.redhat.com/articles/2939351", url: "https://access.redhat.com/articles/2939351", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "1487563", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1487563", }, { category: "external", summary: "1544620", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1544620", }, { category: "external", summary: "1548909", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1548909", }, { category: "external", summary: "1559316", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1559316", }, { category: "external", summary: "1559317", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1559317", }, { category: "external", summary: "1564408", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1564408", }, { category: "external", summary: "1571050", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1571050", }, { category: "external", summary: "1572421", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1572421", }, { category: "external", summary: "1572424", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1572424", }, { category: "external", summary: "1573045", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1573045", }, { category: "external", summary: "1588306", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588306", }, { category: "external", summary: "1588313", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588313", }, { category: "external", summary: "1588314", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588314", }, { category: "external", summary: "1588323", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588323", }, { category: "external", summary: "1588327", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588327", }, { category: "external", summary: "1588330", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588330", }, { category: "external", summary: "1588688", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588688", }, { category: "external", summary: "1588695", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588695", }, { category: "external", summary: "1588708", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588708", }, { category: "external", summary: "1588715", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588715", }, { category: "external", summary: "1588721", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588721", }, { category: "external", summary: "1597490", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1597490", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2669.json", }, ], title: "Red Hat Security Advisory: Fuse 7.1 security update", tracking: { current_release_date: "2025-02-03T19:30:41+00:00", generator: { date: "2025-02-03T19:30:41+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.6", }, }, id: "RHSA-2018:2669", initial_release_date: "2018-09-11T07:53:47+00:00", revision_history: [ { date: "2018-09-11T07:53:47+00:00", number: "1", summary: "Initial version", }, { date: "2018-09-11T07:53:47+00:00", number: "2", summary: "Last updated version", }, { date: "2025-02-03T19:30:41+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Fuse 7", product: { name: "Red Hat JBoss Fuse 7", product_id: "Red Hat JBoss Fuse 7", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:7", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "Red Hat JBoss Fuse 7", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, { cve: "CVE-2016-5397", cwe: { id: "CWE-78", name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", }, discovery_date: "2018-02-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1544620", }, ], notes: [ { category: "description", text: "The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.", title: "Vulnerability description", }, { category: "summary", text: "thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands", title: "Vulnerability summary", }, { category: "other", text: "libthrift is a library used by OpenDaylight which is shipped with Red Hat OpenStack. Whilst the version of the library used contains the vulnerable code it is not used by OpenDaylight and hence not exposed.\n\nJBoss fuse 6.3 ships libthrift via insight-activemq fabric-8 profile, however the vulnerable code is not used by fabric-8 so fuse 6.3 is not affected.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5397", }, { category: "external", summary: "RHBZ#1544620", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1544620", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5397", url: "https://www.cve.org/CVERecord?id=CVE-2016-5397", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5397", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5397", }, ], release_date: "2016-07-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands", }, { cve: "CVE-2016-1000338", cwe: { id: "CWE-325", name: "Missing Cryptographic Step", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588313", }, ], notes: [ { category: "description", text: "In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000338", }, { category: "external", summary: "RHBZ#1588313", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588313", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000338", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000338", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000338", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000338", }, ], release_date: "2016-10-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data", }, { cve: "CVE-2016-1000339", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588695", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information leak in AESFastEngine class", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000339", }, { category: "external", summary: "RHBZ#1588695", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588695", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000339", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000339", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000339", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000339", }, ], release_date: "2018-06-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information leak in AESFastEngine class", }, { cve: "CVE-2016-1000340", cwe: { id: "CWE-682", name: "Incorrect Calculation", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588688", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Carry propagation bug in math.raw.Nat??? class", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Low. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000340", }, { category: "external", summary: "RHBZ#1588688", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588688", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000340", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000340", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000340", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000340", }, ], release_date: "2018-06-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 2.9, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "bouncycastle: Carry propagation bug in math.raw.Nat??? class", }, { cve: "CVE-2016-1000341", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588708", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information exposure in DSA signature generation via timing attack", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000341", }, { category: "external", summary: "RHBZ#1588708", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588708", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000341", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000341", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000341", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000341", }, ], release_date: "2018-06-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information exposure in DSA signature generation via timing attack", }, { cve: "CVE-2016-1000342", cwe: { id: "CWE-295", name: "Improper Certificate Validation", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588715", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: ECDSA improper validation of ASN.1 encoding of signature", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000342", }, { category: "external", summary: "RHBZ#1588715", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588715", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000342", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000342", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000342", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000342", }, ], release_date: "2018-06-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: ECDSA improper validation of ASN.1 encoding of signature", }, { cve: "CVE-2016-1000343", cwe: { id: "CWE-338", name: "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588721", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: DSA key pair generator generates a weak private key by default", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Low. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000343", }, { category: "external", summary: "RHBZ#1588721", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588721", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000343", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000343", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000343", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000343", }, ], release_date: "2018-06-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 2.9, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "bouncycastle: DSA key pair generator generates a weak private key by default", }, { cve: "CVE-2016-1000344", cwe: { id: "CWE-325", name: "Missing Cryptographic Step", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588314", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: DHIES implementation allowed the use of ECB mode", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000344", }, { category: "external", summary: "RHBZ#1588314", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588314", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000344", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000344", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000344", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000344", }, ], release_date: "2016-04-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: DHIES implementation allowed the use of ECB mode", }, { cve: "CVE-2016-1000345", cwe: { id: "CWE-325", name: "Missing Cryptographic Step", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588323", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000345", }, { category: "external", summary: "RHBZ#1588323", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588323", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000345", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000345", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000345", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000345", }, ], release_date: "2016-04-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack", }, { cve: "CVE-2016-1000346", cwe: { id: "CWE-325", name: "Missing Cryptographic Step", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588327", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Other party DH public keys are not fully validated", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000346", }, { category: "external", summary: "RHBZ#1588327", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588327", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000346", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000346", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000346", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000346", }, ], release_date: "2016-10-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Other party DH public keys are not fully validated", }, { cve: "CVE-2016-1000352", cwe: { id: "CWE-325", name: "Missing Cryptographic Step", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588330", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: ECIES implementation allowed the use of ECB mode", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000352", }, { category: "external", summary: "RHBZ#1588330", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588330", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000352", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000352", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000352", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000352", }, ], release_date: "2016-04-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: ECIES implementation allowed the use of ECB mode", }, { cve: "CVE-2017-14063", discovery_date: "2017-08-31T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1487563", }, ], notes: [ { category: "description", text: "Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.", title: "Vulnerability description", }, { category: "summary", text: "async-http-client: Invalid URL parsing with '?'", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-14063", }, { category: "external", summary: "RHBZ#1487563", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1487563", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-14063", url: "https://www.cve.org/CVERecord?id=CVE-2017-14063", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-14063", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-14063", }, ], release_date: "2017-08-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "async-http-client: Invalid URL parsing with '?'", }, { cve: "CVE-2018-1114", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2018-04-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1573045", }, ], notes: [ { category: "description", text: "It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.", title: "Vulnerability description", }, { category: "summary", text: "undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1114", }, { category: "external", summary: "RHBZ#1573045", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1573045", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1114", url: "https://www.cve.org/CVERecord?id=CVE-2018-1114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1114", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1114", }, { category: "external", summary: "https://bugs.openjdk.java.net/browse/JDK-6956385", url: "https://bugs.openjdk.java.net/browse/JDK-6956385", }, { category: "external", summary: "https://issues.jboss.org/browse/UNDERTOW-1338", url: "https://issues.jboss.org/browse/UNDERTOW-1338", }, ], release_date: "2018-04-21T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service", }, { cve: "CVE-2018-1271", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2018-04-24T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1571050", }, ], notes: [ { category: "description", text: "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.", title: "Vulnerability description", }, { category: "summary", text: "spring-framework: Directory traversal vulnerability with static resources on Windows filesystems", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1271", }, { category: "external", summary: "RHBZ#1571050", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1571050", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1271", url: "https://www.cve.org/CVERecord?id=CVE-2018-1271", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1271", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1271", }, { category: "external", summary: "https://pivotal.io/security/cve-2018-1271", url: "https://pivotal.io/security/cve-2018-1271", }, ], release_date: "2018-04-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "spring-framework: Directory traversal vulnerability with static resources on Windows filesystems", }, { cve: "CVE-2018-1272", cwe: { id: "CWE-88", name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", }, discovery_date: "2018-04-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1564408", }, ], notes: [ { category: "description", text: "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.", title: "Vulnerability description", }, { category: "summary", text: "spring-framework: Multipart content pollution", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1272", }, { category: "external", summary: "RHBZ#1564408", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1564408", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1272", url: "https://www.cve.org/CVERecord?id=CVE-2018-1272", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1272", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1272", }, { category: "external", summary: "https://pivotal.io/security/cve-2018-1272", url: "https://pivotal.io/security/cve-2018-1272", }, ], release_date: "2018-04-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "spring-framework: Multipart content pollution", }, { cve: "CVE-2018-1338", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2018-04-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1572421", }, ], notes: [ { category: "description", text: "An infinite loop vulnerability was discovered in Apache Tika prior to version 1.18. A remote attacker could exploit this to cause a denial of service via crafted file.", title: "Vulnerability description", }, { category: "summary", text: "tika: Infinite loop in BPGParser can allow remote attacker to cause a denial of service", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of tika which is embedded in the nutch package as shipped with Red Hat Satellite 5. The tika server is not exposed, as such exploitation is difficult, Red Hat Product Security has rated this issue as having security impact of Low. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1338", }, { category: "external", summary: "RHBZ#1572421", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1572421", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1338", url: "https://www.cve.org/CVERecord?id=CVE-2018-1338", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1338", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1338", }, { category: "external", summary: "https://lists.apache.org/thread.html/4d20c5748fb9f836653bc78a1bad991ba8485d82a1e821f70b641932@%3Cdev.tika.apache.org%3E", url: "https://lists.apache.org/thread.html/4d20c5748fb9f836653bc78a1bad991ba8485d82a1e821f70b641932@%3Cdev.tika.apache.org%3E", }, ], release_date: "2018-04-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tika: Infinite loop in BPGParser can allow remote attacker to cause a denial of service", }, { cve: "CVE-2018-1339", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2018-04-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1572424", }, ], notes: [ { category: "description", text: "A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18.", title: "Vulnerability description", }, { category: "summary", text: "tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of tika which is embedded in the nutch package as shipped with Red Hat Satellite 5. The tika server is not exposed, as such exploitation is difficult, Red Hat Product Security has rated this issue as having security impact of Low. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1339", }, { category: "external", summary: "RHBZ#1572424", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1572424", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1339", url: "https://www.cve.org/CVERecord?id=CVE-2018-1339", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1339", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1339", }, { category: "external", summary: "https://lists.apache.org/thread.html/4d2cb5c819401bb075e2a1130e0d14f0404a136541a6f91da0225828@%3Cdev.tika.apache.org%3E", url: "https://lists.apache.org/thread.html/4d2cb5c819401bb075e2a1130e0d14f0404a136541a6f91da0225828@%3Cdev.tika.apache.org%3E", }, ], release_date: "2018-04-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service", }, { cve: "CVE-2018-8036", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2018-07-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1597490", }, ], notes: [ { category: "description", text: "In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.", title: "Vulnerability description", }, { category: "summary", text: "pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF", title: "Vulnerability summary", }, { category: "other", text: "While Fuse 6.3 and Fuse 7.0 ship vulnerable artifact via camel-pdfbox, however, the flawed code is not being used therefore no execution path leads to an exposure to this vulnerability, so both Fuse 6.3, 7 standalone are not affected. However, Fuse 7.0 on OpenShift ship vulnerable artifact via maven BOM, so setting Fuse 7.0 as affected for this reason only.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-8036", }, { category: "external", summary: "RHBZ#1597490", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1597490", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-8036", url: "https://www.cve.org/CVERecord?id=CVE-2018-8036", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-8036", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-8036", }, { category: "external", summary: "http://www.openwall.com/lists/oss-security/2018/06/29/1", url: "http://www.openwall.com/lists/oss-security/2018/06/29/1", }, ], release_date: "2018-07-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF", }, { acknowledgments: [ { names: [ "Chris McCown", ], }, ], cve: "CVE-2018-8088", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2018-02-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1548909", }, ], notes: [ { category: "description", text: "An XML deserialization vulnerability was discovered in slf4j's EventData, which accepts an XML serialized string and can lead to arbitrary code execution.", title: "Vulnerability description", }, { category: "summary", text: "slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution", title: "Vulnerability summary", }, { category: "other", text: "Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates.\n\nThis issue did not affect the versions of Candlepin as shipped with Red Hat Satellite 6 as Candlepin uses slf4j-api and not the affected slf4j-ext (which is not on the Candlepin classpath).\n\nRed Hat Enterprise Virtualization Manager 4.1 is affected by this issue. Updated packages that address this issue are available through the Red Hat Enterprise Linux Server channels. Virtualization Manager hosts should be subscribed to these channels and obtain the updates via `yum update`.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-8088", }, { category: "external", summary: "RHBZ#1548909", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1548909", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-8088", url: "https://www.cve.org/CVERecord?id=CVE-2018-8088", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-8088", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-8088", }, ], release_date: "2018-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution", }, { cve: "CVE-2018-1000129", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2018-03-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1559317", }, ], notes: [ { category: "description", text: "An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser.", title: "Vulnerability description", }, { category: "summary", text: "jolokia: Cross site scripting in the HTTP servlet", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Product Security has rated this issue as having security impact of Low for:\n* Red Hat OpenStack Platform 9.0 (Mitaka)\n* Red Hat OpenStack Platform 10.0 (Newton) \n* Red Hat OpenStack Platform 11.0 (Ocata)\n* Red Hat OpenStack Platform 12.0 (Pike)\n\nAlthough the affected code is present in shipped packages, data returned by Jolokia is correctly processed and invalid data is not used. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1000129", }, { category: "external", summary: "RHBZ#1559317", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1559317", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1000129", url: "https://www.cve.org/CVERecord?id=CVE-2018-1000129", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1000129", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1000129", }, { category: "external", summary: "https://jolokia.org/#Security_fixes_with_1.5.0", url: "https://jolokia.org/#Security_fixes_with_1.5.0", }, ], release_date: "2018-02-08T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jolokia: Cross site scripting in the HTTP servlet", }, { cve: "CVE-2018-1000130", cwe: { id: "CWE-99", name: "Improper Control of Resource Identifiers ('Resource Injection')", }, discovery_date: "2018-03-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1559316", }, ], notes: [ { category: "description", text: "A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server.", title: "Vulnerability description", }, { category: "summary", text: "jolokia: JMX proxy mode vulnerable to remote code execution", title: "Vulnerability summary", }, { category: "other", text: "For Red Hat OpenStack Platform, although the affected code is present in shipped packages, proxy mode is not enabled by default and the affected code is not used in any supported configuration of Red Hat OpenStack Platform. For this reason, the RHOSP impact as been reduced to Low and this issue is not currently planned to be addressed in future updates.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1000130", }, { category: "external", summary: "RHBZ#1559316", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1559316", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1000130", url: "https://www.cve.org/CVERecord?id=CVE-2018-1000130", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1000130", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1000130", }, { category: "external", summary: "https://jolokia.org/#Security_fixes_with_1.5.0", url: "https://jolokia.org/#Security_fixes_with_1.5.0", }, ], release_date: "2018-02-08T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jolokia: JMX proxy mode vulnerable to remote code execution", }, { cve: "CVE-2018-1000180", cwe: { id: "CWE-325", name: "Missing Cryptographic Step", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588306", }, ], notes: [ { category: "description", text: "A vulnerability was found in BouncyCastle. The number of iterations of the Miller-Rabin primality test was incorrectly calculated (according to FIPS 186-4 C.3). Under some circumstances, this could lead to the generation of weak RSA key pairs.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: flaw in the low-level interface to RSA key pair generator", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.\n\nRed Hat Satellite 6.5 isn't vulnerable to this issue, since it doesn't ship bouncycastle jar file anymore.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1000180", }, { category: "external", summary: "RHBZ#1588306", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588306", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1000180", url: "https://www.cve.org/CVERecord?id=CVE-2018-1000180", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1000180", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1000180", }, ], release_date: "2018-04-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: flaw in the low-level interface to RSA key pair generator", }, ], }
rhsa-2014:0497
Vulnerability from csaf_redhat
Published
2014-05-14 18:06
Modified
2024-11-22 07:57
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse 6.1.0 security update
Notes
Topic
Red Hat JBoss Fuse 6.1.0 Patch 1, a security update that addresses one
security issue, is now available from the Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method.
A remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
Refer to the readme.txt file included with the patch files for
installation instructions.
All users of Red Hat JBoss Fuse 6.1.0 as provided from the Red Hat Customer
Portal are advised to apply this security update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss Fuse 6.1.0 Patch 1, a security update that addresses one\nsecurity issue, is now available from the Red Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform.\n\nIt was found that the Struts 1 ActionForm object allowed access to the\n'class' parameter, which is directly mapped to the getClass() method.\nA remote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nRefer to the readme.txt file included with the patch files for\ninstallation instructions.\n\nAll users of Red Hat JBoss Fuse 6.1.0 as provided from the Red Hat Customer\nPortal are advised to apply this security update.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0497", url: "https://access.redhat.com/errata/RHSA-2014:0497", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.1.0", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0497.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Fuse 6.1.0 security update", tracking: { current_release_date: "2024-11-22T07:57:04+00:00", generator: { date: "2024-11-22T07:57:04+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2014:0497", initial_release_date: "2014-05-14T18:06:57+00:00", revision_history: [ { date: "2014-05-14T18:06:57+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:31:38+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T07:57:04+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Fuse 6.1", product: { name: "Red Hat JBoss Fuse 6.1", product_id: "Red Hat JBoss Fuse 6.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:6.1.0", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-05-14T18:06:57+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0497", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "Red Hat JBoss Fuse 6.1", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, ], }
rhsa-2018_2669
Vulnerability from csaf_redhat
Published
2018-09-11 07:53
Modified
2024-12-15 18:46
Summary
Red Hat Security Advisory: Fuse 7.1 security update
Notes
Topic
An update is now available for Red Hat Fuse.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.
This release of Red Hat Fuse 7.1 serves as a replacement for Red Hat Fuse 7.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)
* thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands (CVE-2016-5397)
* slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)
* jolokia: JMX proxy mode vulnerable to remote code execution (CVE-2018-1000130)
* bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data (CVE-2016-1000338)
* bouncycastle: Information leak in AESFastEngine class (CVE-2016-1000339)
* bouncycastle: Information exposure in DSA signature generation via timing attack (CVE-2016-1000341)
* bouncycastle: ECDSA improper validation of ASN.1 encoding of signature (CVE-2016-1000342)
* bouncycastle: DHIES implementation allowed the use of ECB mode (CVE-2016-1000344)
* bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack (CVE-2016-1000345)
* bouncycastle: Other party DH public keys are not fully validated (CVE-2016-1000346)
* bouncycastle: ECIES implementation allowed the use of ECB mode (CVE-2016-1000352)
* async-http-client: Invalid URL parsing with '?' (CVE-2017-14063)
* undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service (CVE-2018-1114)
* spring-framework: Directory traversal vulnerability with static resources on Windows filesystems (CVE-2018-1271)
* tika: Infinite loop in BPGParser can allow remote attacker to cause a denial of service (CVE-2018-1338)
* tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service (CVE-2018-1339)
* pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF (CVE-2018-8036)
* jolokia: Cross site scripting in the HTTP servlet (CVE-2018-1000129)
* bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180)
* bouncycastle: Carry propagation bug in math.raw.Nat??? class (CVE-2016-1000340)
* bouncycastle: DSA key pair generator generates a weak private key by default (CVE-2016-1000343)
* spring-framework: Multipart content pollution (CVE-2018-1272)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank Chris McCown for reporting CVE-2018-8088.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat Fuse.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.\n\nThis release of Red Hat Fuse 7.1 serves as a replacement for Red Hat Fuse 7.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)\n\n* thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands (CVE-2016-5397)\n\n* slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)\n\n* jolokia: JMX proxy mode vulnerable to remote code execution (CVE-2018-1000130)\n\n* bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data (CVE-2016-1000338)\n\n* bouncycastle: Information leak in AESFastEngine class (CVE-2016-1000339)\n\n* bouncycastle: Information exposure in DSA signature generation via timing attack (CVE-2016-1000341)\n\n* bouncycastle: ECDSA improper validation of ASN.1 encoding of signature (CVE-2016-1000342)\n\n* bouncycastle: DHIES implementation allowed the use of ECB mode (CVE-2016-1000344)\n\n* bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack (CVE-2016-1000345)\n\n* bouncycastle: Other party DH public keys are not fully validated (CVE-2016-1000346)\n\n* bouncycastle: ECIES implementation allowed the use of ECB mode (CVE-2016-1000352)\n\n* async-http-client: Invalid URL parsing with '?' (CVE-2017-14063)\n\n* undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service (CVE-2018-1114)\n\n* spring-framework: Directory traversal vulnerability with static resources on Windows filesystems (CVE-2018-1271)\n\n* tika: Infinite loop in BPGParser can allow remote attacker to cause a denial of service (CVE-2018-1338)\n\n* tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service (CVE-2018-1339)\n\n* pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF (CVE-2018-8036)\n\n* jolokia: Cross site scripting in the HTTP servlet (CVE-2018-1000129)\n\n* bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180)\n\n* bouncycastle: Carry propagation bug in math.raw.Nat??? class (CVE-2016-1000340)\n\n* bouncycastle: DSA key pair generator generates a weak private key by default (CVE-2016-1000343)\n\n* spring-framework: Multipart content pollution (CVE-2018-1272)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Chris McCown for reporting CVE-2018-8088.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2018:2669", url: "https://access.redhat.com/errata/RHSA-2018:2669", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=7.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=7.1.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.1/", url: "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.1/", }, { category: "external", summary: "https://access.redhat.com/articles/2939351", url: "https://access.redhat.com/articles/2939351", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "1487563", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1487563", }, { category: "external", summary: "1544620", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1544620", }, { category: "external", summary: "1548909", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1548909", }, { category: "external", summary: "1559316", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1559316", }, { category: "external", summary: "1559317", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1559317", }, { category: "external", summary: "1564408", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1564408", }, { category: "external", summary: "1571050", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1571050", }, { category: "external", summary: "1572421", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1572421", }, { category: "external", summary: "1572424", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1572424", }, { category: "external", summary: "1573045", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1573045", }, { category: "external", summary: "1588306", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588306", }, { category: "external", summary: "1588313", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588313", }, { category: "external", summary: "1588314", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588314", }, { category: "external", summary: "1588323", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588323", }, { category: "external", summary: "1588327", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588327", }, { category: "external", summary: "1588330", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588330", }, { category: "external", summary: "1588688", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588688", }, { category: "external", summary: "1588695", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588695", }, { category: "external", summary: "1588708", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588708", }, { category: "external", summary: "1588715", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588715", }, { category: "external", summary: "1588721", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588721", }, { category: "external", summary: "1597490", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1597490", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2669.json", }, ], title: "Red Hat Security Advisory: Fuse 7.1 security update", tracking: { current_release_date: "2024-12-15T18:46:52+00:00", generator: { date: "2024-12-15T18:46:52+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2018:2669", initial_release_date: "2018-09-11T07:53:47+00:00", revision_history: [ { date: "2018-09-11T07:53:47+00:00", number: "1", summary: "Initial version", }, { date: "2018-09-11T07:53:47+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-15T18:46:52+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Fuse 7", product: { name: "Red Hat JBoss Fuse 7", product_id: "Red Hat JBoss Fuse 7", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:7", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "Red Hat JBoss Fuse 7", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, { cve: "CVE-2016-5397", cwe: { id: "CWE-78", name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", }, discovery_date: "2018-02-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1544620", }, ], notes: [ { category: "description", text: "The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.", title: "Vulnerability description", }, { category: "summary", text: "thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands", title: "Vulnerability summary", }, { category: "other", text: "libthrift is a library used by OpenDaylight which is shipped with Red Hat OpenStack. Whilst the version of the library used contains the vulnerable code it is not used by OpenDaylight and hence not exposed.\n\nJBoss fuse 6.3 ships libthrift via insight-activemq fabric-8 profile, however the vulnerable code is not used by fabric-8 so fuse 6.3 is not affected.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5397", }, { category: "external", summary: "RHBZ#1544620", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1544620", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5397", url: "https://www.cve.org/CVERecord?id=CVE-2016-5397", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5397", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5397", }, ], release_date: "2016-07-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands", }, { cve: "CVE-2016-1000338", cwe: { id: "CWE-325", name: "Missing Cryptographic Step", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588313", }, ], notes: [ { category: "description", text: "In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000338", }, { category: "external", summary: "RHBZ#1588313", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588313", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000338", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000338", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000338", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000338", }, ], release_date: "2016-10-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data", }, { cve: "CVE-2016-1000339", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588695", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information leak in AESFastEngine class", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000339", }, { category: "external", summary: "RHBZ#1588695", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588695", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000339", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000339", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000339", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000339", }, ], release_date: "2018-06-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information leak in AESFastEngine class", }, { cve: "CVE-2016-1000340", cwe: { id: "CWE-682", name: "Incorrect Calculation", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588688", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Carry propagation bug in math.raw.Nat??? class", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Low. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000340", }, { category: "external", summary: "RHBZ#1588688", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588688", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000340", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000340", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000340", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000340", }, ], release_date: "2018-06-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 2.9, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "bouncycastle: Carry propagation bug in math.raw.Nat??? class", }, { cve: "CVE-2016-1000341", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588708", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information exposure in DSA signature generation via timing attack", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000341", }, { category: "external", summary: "RHBZ#1588708", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588708", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000341", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000341", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000341", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000341", }, ], release_date: "2018-06-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information exposure in DSA signature generation via timing attack", }, { cve: "CVE-2016-1000342", cwe: { id: "CWE-295", name: "Improper Certificate Validation", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588715", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: ECDSA improper validation of ASN.1 encoding of signature", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000342", }, { category: "external", summary: "RHBZ#1588715", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588715", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000342", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000342", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000342", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000342", }, ], release_date: "2018-06-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: ECDSA improper validation of ASN.1 encoding of signature", }, { cve: "CVE-2016-1000343", cwe: { id: "CWE-338", name: "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588721", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: DSA key pair generator generates a weak private key by default", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Low. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000343", }, { category: "external", summary: "RHBZ#1588721", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588721", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000343", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000343", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000343", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000343", }, ], release_date: "2018-06-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 2.9, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "bouncycastle: DSA key pair generator generates a weak private key by default", }, { cve: "CVE-2016-1000344", cwe: { id: "CWE-325", name: "Missing Cryptographic Step", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588314", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: DHIES implementation allowed the use of ECB mode", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000344", }, { category: "external", summary: "RHBZ#1588314", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588314", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000344", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000344", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000344", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000344", }, ], release_date: "2016-04-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: DHIES implementation allowed the use of ECB mode", }, { cve: "CVE-2016-1000345", cwe: { id: "CWE-325", name: "Missing Cryptographic Step", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588323", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000345", }, { category: "external", summary: "RHBZ#1588323", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588323", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000345", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000345", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000345", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000345", }, ], release_date: "2016-04-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack", }, { cve: "CVE-2016-1000346", cwe: { id: "CWE-325", name: "Missing Cryptographic Step", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588327", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Other party DH public keys are not fully validated", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000346", }, { category: "external", summary: "RHBZ#1588327", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588327", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000346", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000346", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000346", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000346", }, ], release_date: "2016-10-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Other party DH public keys are not fully validated", }, { cve: "CVE-2016-1000352", cwe: { id: "CWE-325", name: "Missing Cryptographic Step", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588330", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: ECIES implementation allowed the use of ECB mode", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000352", }, { category: "external", summary: "RHBZ#1588330", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588330", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000352", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000352", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000352", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000352", }, ], release_date: "2016-04-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: ECIES implementation allowed the use of ECB mode", }, { cve: "CVE-2017-14063", discovery_date: "2017-08-31T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1487563", }, ], notes: [ { category: "description", text: "Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.", title: "Vulnerability description", }, { category: "summary", text: "async-http-client: Invalid URL parsing with '?'", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-14063", }, { category: "external", summary: "RHBZ#1487563", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1487563", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-14063", url: "https://www.cve.org/CVERecord?id=CVE-2017-14063", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-14063", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-14063", }, ], release_date: "2017-08-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "async-http-client: Invalid URL parsing with '?'", }, { cve: "CVE-2018-1114", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2018-04-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1573045", }, ], notes: [ { category: "description", text: "It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.", title: "Vulnerability description", }, { category: "summary", text: "undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1114", }, { category: "external", summary: "RHBZ#1573045", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1573045", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1114", url: "https://www.cve.org/CVERecord?id=CVE-2018-1114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1114", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1114", }, { category: "external", summary: "https://bugs.openjdk.java.net/browse/JDK-6956385", url: "https://bugs.openjdk.java.net/browse/JDK-6956385", }, { category: "external", summary: "https://issues.jboss.org/browse/UNDERTOW-1338", url: "https://issues.jboss.org/browse/UNDERTOW-1338", }, ], release_date: "2018-04-21T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service", }, { cve: "CVE-2018-1271", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2018-04-24T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1571050", }, ], notes: [ { category: "description", text: "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.", title: "Vulnerability description", }, { category: "summary", text: "spring-framework: Directory traversal vulnerability with static resources on Windows filesystems", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1271", }, { category: "external", summary: "RHBZ#1571050", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1571050", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1271", url: "https://www.cve.org/CVERecord?id=CVE-2018-1271", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1271", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1271", }, { category: "external", summary: "https://pivotal.io/security/cve-2018-1271", url: "https://pivotal.io/security/cve-2018-1271", }, ], release_date: "2018-04-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "spring-framework: Directory traversal vulnerability with static resources on Windows filesystems", }, { cve: "CVE-2018-1272", cwe: { id: "CWE-88", name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", }, discovery_date: "2018-04-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1564408", }, ], notes: [ { category: "description", text: "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.", title: "Vulnerability description", }, { category: "summary", text: "spring-framework: Multipart content pollution", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1272", }, { category: "external", summary: "RHBZ#1564408", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1564408", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1272", url: "https://www.cve.org/CVERecord?id=CVE-2018-1272", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1272", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1272", }, { category: "external", summary: "https://pivotal.io/security/cve-2018-1272", url: "https://pivotal.io/security/cve-2018-1272", }, ], release_date: "2018-04-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "spring-framework: Multipart content pollution", }, { cve: "CVE-2018-1338", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2018-04-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1572421", }, ], notes: [ { category: "description", text: "An infinite loop vulnerability was discovered in Apache Tika prior to version 1.18. A remote attacker could exploit this to cause a denial of service via crafted file.", title: "Vulnerability description", }, { category: "summary", text: "tika: Infinite loop in BPGParser can allow remote attacker to cause a denial of service", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of tika which is embedded in the nutch package as shipped with Red Hat Satellite 5. The tika server is not exposed, as such exploitation is difficult, Red Hat Product Security has rated this issue as having security impact of Low. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1338", }, { category: "external", summary: "RHBZ#1572421", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1572421", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1338", url: "https://www.cve.org/CVERecord?id=CVE-2018-1338", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1338", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1338", }, { category: "external", summary: "https://lists.apache.org/thread.html/4d20c5748fb9f836653bc78a1bad991ba8485d82a1e821f70b641932@%3Cdev.tika.apache.org%3E", url: "https://lists.apache.org/thread.html/4d20c5748fb9f836653bc78a1bad991ba8485d82a1e821f70b641932@%3Cdev.tika.apache.org%3E", }, ], release_date: "2018-04-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tika: Infinite loop in BPGParser can allow remote attacker to cause a denial of service", }, { cve: "CVE-2018-1339", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2018-04-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1572424", }, ], notes: [ { category: "description", text: "A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18.", title: "Vulnerability description", }, { category: "summary", text: "tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of tika which is embedded in the nutch package as shipped with Red Hat Satellite 5. The tika server is not exposed, as such exploitation is difficult, Red Hat Product Security has rated this issue as having security impact of Low. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1339", }, { category: "external", summary: "RHBZ#1572424", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1572424", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1339", url: "https://www.cve.org/CVERecord?id=CVE-2018-1339", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1339", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1339", }, { category: "external", summary: "https://lists.apache.org/thread.html/4d2cb5c819401bb075e2a1130e0d14f0404a136541a6f91da0225828@%3Cdev.tika.apache.org%3E", url: "https://lists.apache.org/thread.html/4d2cb5c819401bb075e2a1130e0d14f0404a136541a6f91da0225828@%3Cdev.tika.apache.org%3E", }, ], release_date: "2018-04-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service", }, { cve: "CVE-2018-8036", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2018-07-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1597490", }, ], notes: [ { category: "description", text: "In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.", title: "Vulnerability description", }, { category: "summary", text: "pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF", title: "Vulnerability summary", }, { category: "other", text: "While Fuse 6.3 and Fuse 7.0 ship vulnerable artifact via camel-pdfbox, however, the flawed code is not being used therefore no execution path leads to an exposure to this vulnerability, so both Fuse 6.3, 7 standalone are not affected. However, Fuse 7.0 on OpenShift ship vulnerable artifact via maven BOM, so setting Fuse 7.0 as affected for this reason only.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-8036", }, { category: "external", summary: "RHBZ#1597490", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1597490", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-8036", url: "https://www.cve.org/CVERecord?id=CVE-2018-8036", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-8036", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-8036", }, { category: "external", summary: "http://www.openwall.com/lists/oss-security/2018/06/29/1", url: "http://www.openwall.com/lists/oss-security/2018/06/29/1", }, ], release_date: "2018-07-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF", }, { acknowledgments: [ { names: [ "Chris McCown", ], }, ], cve: "CVE-2018-8088", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2018-02-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1548909", }, ], notes: [ { category: "description", text: "An XML deserialization vulnerability was discovered in slf4j's EventData, which accepts an XML serialized string and can lead to arbitrary code execution.", title: "Vulnerability description", }, { category: "summary", text: "slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution", title: "Vulnerability summary", }, { category: "other", text: "Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates.\n\nThis issue did not affect the versions of Candlepin as shipped with Red Hat Satellite 6 as Candlepin uses slf4j-api and not the affected slf4j-ext (which is not on the Candlepin classpath).\n\nRed Hat Enterprise Virtualization Manager 4.1 is affected by this issue. Updated packages that address this issue are available through the Red Hat Enterprise Linux Server channels. Virtualization Manager hosts should be subscribed to these channels and obtain the updates via `yum update`.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-8088", }, { category: "external", summary: "RHBZ#1548909", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1548909", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-8088", url: "https://www.cve.org/CVERecord?id=CVE-2018-8088", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-8088", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-8088", }, ], release_date: "2018-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution", }, { cve: "CVE-2018-1000129", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2018-03-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1559317", }, ], notes: [ { category: "description", text: "An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser.", title: "Vulnerability description", }, { category: "summary", text: "jolokia: Cross site scripting in the HTTP servlet", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Product Security has rated this issue as having security impact of Low for:\n* Red Hat OpenStack Platform 9.0 (Mitaka)\n* Red Hat OpenStack Platform 10.0 (Newton) \n* Red Hat OpenStack Platform 11.0 (Ocata)\n* Red Hat OpenStack Platform 12.0 (Pike)\n\nAlthough the affected code is present in shipped packages, data returned by Jolokia is correctly processed and invalid data is not used. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1000129", }, { category: "external", summary: "RHBZ#1559317", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1559317", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1000129", url: "https://www.cve.org/CVERecord?id=CVE-2018-1000129", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1000129", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1000129", }, { category: "external", summary: "https://jolokia.org/#Security_fixes_with_1.5.0", url: "https://jolokia.org/#Security_fixes_with_1.5.0", }, ], release_date: "2018-02-08T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jolokia: Cross site scripting in the HTTP servlet", }, { cve: "CVE-2018-1000130", cwe: { id: "CWE-99", name: "Improper Control of Resource Identifiers ('Resource Injection')", }, discovery_date: "2018-03-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1559316", }, ], notes: [ { category: "description", text: "A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server.", title: "Vulnerability description", }, { category: "summary", text: "jolokia: JMX proxy mode vulnerable to remote code execution", title: "Vulnerability summary", }, { category: "other", text: "For Red Hat OpenStack Platform, although the affected code is present in shipped packages, proxy mode is not enabled by default and the affected code is not used in any supported configuration of Red Hat OpenStack Platform. For this reason, the RHOSP impact as been reduced to Low and this issue is not currently planned to be addressed in future updates.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1000130", }, { category: "external", summary: "RHBZ#1559316", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1559316", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1000130", url: "https://www.cve.org/CVERecord?id=CVE-2018-1000130", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1000130", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1000130", }, { category: "external", summary: "https://jolokia.org/#Security_fixes_with_1.5.0", url: "https://jolokia.org/#Security_fixes_with_1.5.0", }, ], release_date: "2018-02-08T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jolokia: JMX proxy mode vulnerable to remote code execution", }, { cve: "CVE-2018-1000180", cwe: { id: "CWE-325", name: "Missing Cryptographic Step", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588306", }, ], notes: [ { category: "description", text: "A vulnerability was found in BouncyCastle. The number of iterations of the Miller-Rabin primality test was incorrectly calculated (according to FIPS 186-4 C.3). Under some circumstances, this could lead to the generation of weak RSA key pairs.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: flaw in the low-level interface to RSA key pair generator", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.\n\nRed Hat Satellite 6.5 isn't vulnerable to this issue, since it doesn't ship bouncycastle jar file anymore.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1000180", }, { category: "external", summary: "RHBZ#1588306", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588306", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1000180", url: "https://www.cve.org/CVERecord?id=CVE-2018-1000180", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1000180", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1000180", }, ], release_date: "2018-04-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: flaw in the low-level interface to RSA key pair generator", }, ], }
rhsa-2014:0511
Vulnerability from csaf_redhat
Published
2014-05-15 17:18
Modified
2025-02-02 19:39
Summary
Red Hat Security Advisory: Red Hat JBoss Operations Network 3.2.1 security update
Notes
Topic
An update for Red Hat JBoss Operations Network 3.2.1, which fixes two
security issues, is now available from the Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having
Important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Red Hat JBoss Operations Network is a middleware management solution that
provides a single point of control to deploy, manage, and monitor JBoss
Enterprise Middleware, applications, and services.
Apache Struts is a framework for building web applications with Java.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method. A
remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
It was found that when JBoss Web processed a series of HTTP requests in
which at least one request contained either multiple content-length
headers, or one content-length header with a chunked transfer-encoding
header, JBoss Web would incorrectly handle the request. A remote attacker
could use this flaw to poison a web cache, perform cross-site scripting
(XSS) attacks, or obtain sensitive information from other requests.
(CVE-2013-4286)
All users of JBoss Operations Network 3.2.1 as provided from the Red Hat
Customer Portal are advised to apply this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for Red Hat JBoss Operations Network 3.2.1, which fixes two\nsecurity issues, is now available from the Red Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Operations Network is a middleware management solution that\nprovides a single point of control to deploy, manage, and monitor JBoss\nEnterprise Middleware, applications, and services.\n\nApache Struts is a framework for building web applications with Java.\n\nIt was found that the Struts 1 ActionForm object allowed access to the\n'class' parameter, which is directly mapped to the getClass() method. A\nremote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nIt was found that when JBoss Web processed a series of HTTP requests in\nwhich at least one request contained either multiple content-length\nheaders, or one content-length header with a chunked transfer-encoding\nheader, JBoss Web would incorrectly handle the request. A remote attacker\ncould use this flaw to poison a web cache, perform cross-site scripting\n(XSS) attacks, or obtain sensitive information from other requests.\n(CVE-2013-4286)\n\nAll users of JBoss Operations Network 3.2.1 as provided from the Red Hat\nCustomer Portal are advised to apply this update.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0511", url: "https://access.redhat.com/errata/RHSA-2014:0511", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=em&version=3.2.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=em&version=3.2.0", }, { category: "external", summary: "1069921", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1069921", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0511.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Operations Network 3.2.1 security update", tracking: { current_release_date: "2025-02-02T19:39:53+00:00", generator: { date: "2025-02-02T19:39:53+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.6", }, }, id: "RHSA-2014:0511", initial_release_date: "2014-05-15T17:18:12+00:00", revision_history: [ { date: "2014-05-15T17:18:12+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:33:11+00:00", number: "2", summary: "Last updated version", }, { date: "2025-02-02T19:39:53+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Operations Network 3.2", product: { name: "Red Hat JBoss Operations Network 3.2", product_id: "Red Hat JBoss Operations Network 3.2", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_operations_network:3.2.1", }, }, }, ], category: "product_family", name: "Red Hat JBoss Operations Network", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2013-4286", discovery_date: "2014-02-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1069921", }, ], notes: [ { category: "description", text: "It was found that when Tomcat / JBoss Web processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat / JBoss Web would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: multiple content-length header poisoning flaws", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Operations Network 3.2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-4286", }, { category: "external", summary: "RHBZ#1069921", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1069921", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-4286", url: "https://www.cve.org/CVERecord?id=CVE-2013-4286", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-4286", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-4286", }, ], release_date: "2014-02-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-05-15T17:18:12+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Operations Network installation (including its databases,\napplications, configuration files, the JBoss Operations Network server's\nfile system directory, and so on).\n\nRefer to the \"Manual Instructions\" section of the release description,\navailable from the Customer Portal for this update, for installation\ninformation.", product_ids: [ "Red Hat JBoss Operations Network 3.2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0511", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss Operations Network 3.2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: multiple content-length header poisoning flaws", }, { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Operations Network 3.2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-05-15T17:18:12+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Operations Network installation (including its databases,\napplications, configuration files, the JBoss Operations Network server's\nfile system directory, and so on).\n\nRefer to the \"Manual Instructions\" section of the release description,\navailable from the Customer Portal for this update, for installation\ninformation.", product_ids: [ "Red Hat JBoss Operations Network 3.2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0511", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "Red Hat JBoss Operations Network 3.2", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss Operations Network 3.2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, ], }
rhsa-2019_2995
Vulnerability from csaf_redhat
Published
2019-10-10 07:20
Modified
2024-11-22 07:56
Summary
Red Hat Security Advisory: Red Hat A-MQ Broker 7.5 release and security update
Notes
Topic
Red Hat A-MQ Broker 7.5 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms.
This release of Red Hat A-MQ Broker 7.5.0 serves as a replacement for Red Hat A-MQ Broker 7.4.1, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.
Security Fix(es):
* Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat A-MQ Broker 7.5 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. \n\nThis release of Red Hat A-MQ Broker 7.5.0 serves as a replacement for Red Hat A-MQ Broker 7.4.1, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2019:2995", url: "https://access.redhat.com/errata/RHSA-2019:2995", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.broker&version=7.5.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.broker&version=7.5.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_amq/7.5/", url: "https://access.redhat.com/documentation/en-us/red_hat_amq/7.5/", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "ENTMQBR-2849", url: "https://issues.redhat.com/browse/ENTMQBR-2849", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2995.json", }, ], title: "Red Hat Security Advisory: Red Hat A-MQ Broker 7.5 release and security update", tracking: { current_release_date: "2024-11-22T07:56:48+00:00", generator: { date: "2024-11-22T07:56:48+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2019:2995", initial_release_date: "2019-10-10T07:20:12+00:00", revision_history: [ { date: "2019-10-10T07:20:12+00:00", number: "1", summary: "Initial version", }, { date: "2019-10-10T07:20:12+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T07:56:48+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat AMQ Broker 7", product: { name: "Red Hat AMQ Broker 7", product_id: "Red Hat AMQ Broker 7", product_identification_helper: { cpe: "cpe:/a:redhat:amq_broker:7", }, }, }, ], category: "product_family", name: "Red Hat JBoss AMQ", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Broker 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-10-10T07:20:12+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Broker 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:2995", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "Red Hat AMQ Broker 7", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat AMQ Broker 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, ], }
RHSA-2018:2669
Vulnerability from csaf_redhat
Published
2018-09-11 07:53
Modified
2025-02-03 19:30
Summary
Red Hat Security Advisory: Fuse 7.1 security update
Notes
Topic
An update is now available for Red Hat Fuse.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.
This release of Red Hat Fuse 7.1 serves as a replacement for Red Hat Fuse 7.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)
* thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands (CVE-2016-5397)
* slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)
* jolokia: JMX proxy mode vulnerable to remote code execution (CVE-2018-1000130)
* bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data (CVE-2016-1000338)
* bouncycastle: Information leak in AESFastEngine class (CVE-2016-1000339)
* bouncycastle: Information exposure in DSA signature generation via timing attack (CVE-2016-1000341)
* bouncycastle: ECDSA improper validation of ASN.1 encoding of signature (CVE-2016-1000342)
* bouncycastle: DHIES implementation allowed the use of ECB mode (CVE-2016-1000344)
* bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack (CVE-2016-1000345)
* bouncycastle: Other party DH public keys are not fully validated (CVE-2016-1000346)
* bouncycastle: ECIES implementation allowed the use of ECB mode (CVE-2016-1000352)
* async-http-client: Invalid URL parsing with '?' (CVE-2017-14063)
* undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service (CVE-2018-1114)
* spring-framework: Directory traversal vulnerability with static resources on Windows filesystems (CVE-2018-1271)
* tika: Infinite loop in BPGParser can allow remote attacker to cause a denial of service (CVE-2018-1338)
* tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service (CVE-2018-1339)
* pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF (CVE-2018-8036)
* jolokia: Cross site scripting in the HTTP servlet (CVE-2018-1000129)
* bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180)
* bouncycastle: Carry propagation bug in math.raw.Nat??? class (CVE-2016-1000340)
* bouncycastle: DSA key pair generator generates a weak private key by default (CVE-2016-1000343)
* spring-framework: Multipart content pollution (CVE-2018-1272)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank Chris McCown for reporting CVE-2018-8088.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat Fuse.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.\n\nThis release of Red Hat Fuse 7.1 serves as a replacement for Red Hat Fuse 7.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)\n\n* thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands (CVE-2016-5397)\n\n* slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)\n\n* jolokia: JMX proxy mode vulnerable to remote code execution (CVE-2018-1000130)\n\n* bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data (CVE-2016-1000338)\n\n* bouncycastle: Information leak in AESFastEngine class (CVE-2016-1000339)\n\n* bouncycastle: Information exposure in DSA signature generation via timing attack (CVE-2016-1000341)\n\n* bouncycastle: ECDSA improper validation of ASN.1 encoding of signature (CVE-2016-1000342)\n\n* bouncycastle: DHIES implementation allowed the use of ECB mode (CVE-2016-1000344)\n\n* bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack (CVE-2016-1000345)\n\n* bouncycastle: Other party DH public keys are not fully validated (CVE-2016-1000346)\n\n* bouncycastle: ECIES implementation allowed the use of ECB mode (CVE-2016-1000352)\n\n* async-http-client: Invalid URL parsing with '?' (CVE-2017-14063)\n\n* undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service (CVE-2018-1114)\n\n* spring-framework: Directory traversal vulnerability with static resources on Windows filesystems (CVE-2018-1271)\n\n* tika: Infinite loop in BPGParser can allow remote attacker to cause a denial of service (CVE-2018-1338)\n\n* tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service (CVE-2018-1339)\n\n* pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF (CVE-2018-8036)\n\n* jolokia: Cross site scripting in the HTTP servlet (CVE-2018-1000129)\n\n* bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180)\n\n* bouncycastle: Carry propagation bug in math.raw.Nat??? class (CVE-2016-1000340)\n\n* bouncycastle: DSA key pair generator generates a weak private key by default (CVE-2016-1000343)\n\n* spring-framework: Multipart content pollution (CVE-2018-1272)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Chris McCown for reporting CVE-2018-8088.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2018:2669", url: "https://access.redhat.com/errata/RHSA-2018:2669", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=7.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=7.1.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.1/", url: "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.1/", }, { category: "external", summary: "https://access.redhat.com/articles/2939351", url: "https://access.redhat.com/articles/2939351", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "1487563", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1487563", }, { category: "external", summary: "1544620", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1544620", }, { category: "external", summary: "1548909", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1548909", }, { category: "external", summary: "1559316", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1559316", }, { category: "external", summary: "1559317", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1559317", }, { category: "external", summary: "1564408", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1564408", }, { category: "external", summary: "1571050", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1571050", }, { category: "external", summary: "1572421", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1572421", }, { category: "external", summary: "1572424", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1572424", }, { category: "external", summary: "1573045", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1573045", }, { category: "external", summary: "1588306", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588306", }, { category: "external", summary: "1588313", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588313", }, { category: "external", summary: "1588314", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588314", }, { category: "external", summary: "1588323", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588323", }, { category: "external", summary: "1588327", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588327", }, { category: "external", summary: "1588330", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588330", }, { category: "external", summary: "1588688", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588688", }, { category: "external", summary: "1588695", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588695", }, { category: "external", summary: "1588708", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588708", }, { category: "external", summary: "1588715", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588715", }, { category: "external", summary: "1588721", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588721", }, { category: "external", summary: "1597490", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1597490", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2669.json", }, ], title: "Red Hat Security Advisory: Fuse 7.1 security update", tracking: { current_release_date: "2025-02-03T19:30:41+00:00", generator: { date: "2025-02-03T19:30:41+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.6", }, }, id: "RHSA-2018:2669", initial_release_date: "2018-09-11T07:53:47+00:00", revision_history: [ { date: "2018-09-11T07:53:47+00:00", number: "1", summary: "Initial version", }, { date: "2018-09-11T07:53:47+00:00", number: "2", summary: "Last updated version", }, { date: "2025-02-03T19:30:41+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Fuse 7", product: { name: "Red Hat JBoss Fuse 7", product_id: "Red Hat JBoss Fuse 7", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:7", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "Red Hat JBoss Fuse 7", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, { cve: "CVE-2016-5397", cwe: { id: "CWE-78", name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", }, discovery_date: "2018-02-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1544620", }, ], notes: [ { category: "description", text: "The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.", title: "Vulnerability description", }, { category: "summary", text: "thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands", title: "Vulnerability summary", }, { category: "other", text: "libthrift is a library used by OpenDaylight which is shipped with Red Hat OpenStack. Whilst the version of the library used contains the vulnerable code it is not used by OpenDaylight and hence not exposed.\n\nJBoss fuse 6.3 ships libthrift via insight-activemq fabric-8 profile, however the vulnerable code is not used by fabric-8 so fuse 6.3 is not affected.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5397", }, { category: "external", summary: "RHBZ#1544620", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1544620", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5397", url: "https://www.cve.org/CVERecord?id=CVE-2016-5397", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5397", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5397", }, ], release_date: "2016-07-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands", }, { cve: "CVE-2016-1000338", cwe: { id: "CWE-325", name: "Missing Cryptographic Step", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588313", }, ], notes: [ { category: "description", text: "In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000338", }, { category: "external", summary: "RHBZ#1588313", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588313", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000338", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000338", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000338", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000338", }, ], release_date: "2016-10-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data", }, { cve: "CVE-2016-1000339", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588695", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information leak in AESFastEngine class", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000339", }, { category: "external", summary: "RHBZ#1588695", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588695", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000339", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000339", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000339", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000339", }, ], release_date: "2018-06-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information leak in AESFastEngine class", }, { cve: "CVE-2016-1000340", cwe: { id: "CWE-682", name: "Incorrect Calculation", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588688", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Carry propagation bug in math.raw.Nat??? class", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Low. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000340", }, { category: "external", summary: "RHBZ#1588688", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588688", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000340", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000340", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000340", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000340", }, ], release_date: "2018-06-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 2.9, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "bouncycastle: Carry propagation bug in math.raw.Nat??? class", }, { cve: "CVE-2016-1000341", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588708", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information exposure in DSA signature generation via timing attack", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000341", }, { category: "external", summary: "RHBZ#1588708", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588708", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000341", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000341", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000341", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000341", }, ], release_date: "2018-06-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information exposure in DSA signature generation via timing attack", }, { cve: "CVE-2016-1000342", cwe: { id: "CWE-295", name: "Improper Certificate Validation", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588715", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: ECDSA improper validation of ASN.1 encoding of signature", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000342", }, { category: "external", summary: "RHBZ#1588715", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588715", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000342", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000342", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000342", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000342", }, ], release_date: "2018-06-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: ECDSA improper validation of ASN.1 encoding of signature", }, { cve: "CVE-2016-1000343", cwe: { id: "CWE-338", name: "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588721", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: DSA key pair generator generates a weak private key by default", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Low. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000343", }, { category: "external", summary: "RHBZ#1588721", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588721", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000343", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000343", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000343", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000343", }, ], release_date: "2018-06-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 2.9, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "bouncycastle: DSA key pair generator generates a weak private key by default", }, { cve: "CVE-2016-1000344", cwe: { id: "CWE-325", name: "Missing Cryptographic Step", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588314", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: DHIES implementation allowed the use of ECB mode", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000344", }, { category: "external", summary: "RHBZ#1588314", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588314", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000344", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000344", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000344", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000344", }, ], release_date: "2016-04-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: DHIES implementation allowed the use of ECB mode", }, { cve: "CVE-2016-1000345", cwe: { id: "CWE-325", name: "Missing Cryptographic Step", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588323", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000345", }, { category: "external", summary: "RHBZ#1588323", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588323", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000345", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000345", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000345", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000345", }, ], release_date: "2016-04-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack", }, { cve: "CVE-2016-1000346", cwe: { id: "CWE-325", name: "Missing Cryptographic Step", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588327", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Other party DH public keys are not fully validated", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000346", }, { category: "external", summary: "RHBZ#1588327", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588327", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000346", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000346", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000346", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000346", }, ], release_date: "2016-10-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Other party DH public keys are not fully validated", }, { cve: "CVE-2016-1000352", cwe: { id: "CWE-325", name: "Missing Cryptographic Step", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588330", }, ], notes: [ { category: "description", text: "In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: ECIES implementation allowed the use of ECB mode", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1000352", }, { category: "external", summary: "RHBZ#1588330", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588330", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1000352", url: "https://www.cve.org/CVERecord?id=CVE-2016-1000352", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000352", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000352", }, ], release_date: "2016-04-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: ECIES implementation allowed the use of ECB mode", }, { cve: "CVE-2017-14063", discovery_date: "2017-08-31T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1487563", }, ], notes: [ { category: "description", text: "Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.", title: "Vulnerability description", }, { category: "summary", text: "async-http-client: Invalid URL parsing with '?'", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-14063", }, { category: "external", summary: "RHBZ#1487563", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1487563", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-14063", url: "https://www.cve.org/CVERecord?id=CVE-2017-14063", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-14063", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-14063", }, ], release_date: "2017-08-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "async-http-client: Invalid URL parsing with '?'", }, { cve: "CVE-2018-1114", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2018-04-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1573045", }, ], notes: [ { category: "description", text: "It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.", title: "Vulnerability description", }, { category: "summary", text: "undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1114", }, { category: "external", summary: "RHBZ#1573045", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1573045", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1114", url: "https://www.cve.org/CVERecord?id=CVE-2018-1114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1114", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1114", }, { category: "external", summary: "https://bugs.openjdk.java.net/browse/JDK-6956385", url: "https://bugs.openjdk.java.net/browse/JDK-6956385", }, { category: "external", summary: "https://issues.jboss.org/browse/UNDERTOW-1338", url: "https://issues.jboss.org/browse/UNDERTOW-1338", }, ], release_date: "2018-04-21T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service", }, { cve: "CVE-2018-1271", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2018-04-24T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1571050", }, ], notes: [ { category: "description", text: "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.", title: "Vulnerability description", }, { category: "summary", text: "spring-framework: Directory traversal vulnerability with static resources on Windows filesystems", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1271", }, { category: "external", summary: "RHBZ#1571050", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1571050", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1271", url: "https://www.cve.org/CVERecord?id=CVE-2018-1271", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1271", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1271", }, { category: "external", summary: "https://pivotal.io/security/cve-2018-1271", url: "https://pivotal.io/security/cve-2018-1271", }, ], release_date: "2018-04-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "spring-framework: Directory traversal vulnerability with static resources on Windows filesystems", }, { cve: "CVE-2018-1272", cwe: { id: "CWE-88", name: "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", }, discovery_date: "2018-04-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1564408", }, ], notes: [ { category: "description", text: "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.", title: "Vulnerability description", }, { category: "summary", text: "spring-framework: Multipart content pollution", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1272", }, { category: "external", summary: "RHBZ#1564408", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1564408", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1272", url: "https://www.cve.org/CVERecord?id=CVE-2018-1272", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1272", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1272", }, { category: "external", summary: "https://pivotal.io/security/cve-2018-1272", url: "https://pivotal.io/security/cve-2018-1272", }, ], release_date: "2018-04-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "spring-framework: Multipart content pollution", }, { cve: "CVE-2018-1338", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2018-04-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1572421", }, ], notes: [ { category: "description", text: "An infinite loop vulnerability was discovered in Apache Tika prior to version 1.18. A remote attacker could exploit this to cause a denial of service via crafted file.", title: "Vulnerability description", }, { category: "summary", text: "tika: Infinite loop in BPGParser can allow remote attacker to cause a denial of service", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of tika which is embedded in the nutch package as shipped with Red Hat Satellite 5. The tika server is not exposed, as such exploitation is difficult, Red Hat Product Security has rated this issue as having security impact of Low. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1338", }, { category: "external", summary: "RHBZ#1572421", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1572421", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1338", url: "https://www.cve.org/CVERecord?id=CVE-2018-1338", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1338", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1338", }, { category: "external", summary: "https://lists.apache.org/thread.html/4d20c5748fb9f836653bc78a1bad991ba8485d82a1e821f70b641932@%3Cdev.tika.apache.org%3E", url: "https://lists.apache.org/thread.html/4d20c5748fb9f836653bc78a1bad991ba8485d82a1e821f70b641932@%3Cdev.tika.apache.org%3E", }, ], release_date: "2018-04-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tika: Infinite loop in BPGParser can allow remote attacker to cause a denial of service", }, { cve: "CVE-2018-1339", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2018-04-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1572424", }, ], notes: [ { category: "description", text: "A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18.", title: "Vulnerability description", }, { category: "summary", text: "tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of tika which is embedded in the nutch package as shipped with Red Hat Satellite 5. The tika server is not exposed, as such exploitation is difficult, Red Hat Product Security has rated this issue as having security impact of Low. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1339", }, { category: "external", summary: "RHBZ#1572424", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1572424", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1339", url: "https://www.cve.org/CVERecord?id=CVE-2018-1339", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1339", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1339", }, { category: "external", summary: "https://lists.apache.org/thread.html/4d2cb5c819401bb075e2a1130e0d14f0404a136541a6f91da0225828@%3Cdev.tika.apache.org%3E", url: "https://lists.apache.org/thread.html/4d2cb5c819401bb075e2a1130e0d14f0404a136541a6f91da0225828@%3Cdev.tika.apache.org%3E", }, ], release_date: "2018-04-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service", }, { cve: "CVE-2018-8036", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2018-07-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1597490", }, ], notes: [ { category: "description", text: "In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.", title: "Vulnerability description", }, { category: "summary", text: "pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF", title: "Vulnerability summary", }, { category: "other", text: "While Fuse 6.3 and Fuse 7.0 ship vulnerable artifact via camel-pdfbox, however, the flawed code is not being used therefore no execution path leads to an exposure to this vulnerability, so both Fuse 6.3, 7 standalone are not affected. However, Fuse 7.0 on OpenShift ship vulnerable artifact via maven BOM, so setting Fuse 7.0 as affected for this reason only.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-8036", }, { category: "external", summary: "RHBZ#1597490", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1597490", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-8036", url: "https://www.cve.org/CVERecord?id=CVE-2018-8036", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-8036", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-8036", }, { category: "external", summary: "http://www.openwall.com/lists/oss-security/2018/06/29/1", url: "http://www.openwall.com/lists/oss-security/2018/06/29/1", }, ], release_date: "2018-07-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF", }, { acknowledgments: [ { names: [ "Chris McCown", ], }, ], cve: "CVE-2018-8088", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2018-02-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1548909", }, ], notes: [ { category: "description", text: "An XML deserialization vulnerability was discovered in slf4j's EventData, which accepts an XML serialized string and can lead to arbitrary code execution.", title: "Vulnerability description", }, { category: "summary", text: "slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution", title: "Vulnerability summary", }, { category: "other", text: "Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates.\n\nThis issue did not affect the versions of Candlepin as shipped with Red Hat Satellite 6 as Candlepin uses slf4j-api and not the affected slf4j-ext (which is not on the Candlepin classpath).\n\nRed Hat Enterprise Virtualization Manager 4.1 is affected by this issue. Updated packages that address this issue are available through the Red Hat Enterprise Linux Server channels. Virtualization Manager hosts should be subscribed to these channels and obtain the updates via `yum update`.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-8088", }, { category: "external", summary: "RHBZ#1548909", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1548909", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-8088", url: "https://www.cve.org/CVERecord?id=CVE-2018-8088", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-8088", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-8088", }, ], release_date: "2018-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution", }, { cve: "CVE-2018-1000129", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2018-03-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1559317", }, ], notes: [ { category: "description", text: "An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser.", title: "Vulnerability description", }, { category: "summary", text: "jolokia: Cross site scripting in the HTTP servlet", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Product Security has rated this issue as having security impact of Low for:\n* Red Hat OpenStack Platform 9.0 (Mitaka)\n* Red Hat OpenStack Platform 10.0 (Newton) \n* Red Hat OpenStack Platform 11.0 (Ocata)\n* Red Hat OpenStack Platform 12.0 (Pike)\n\nAlthough the affected code is present in shipped packages, data returned by Jolokia is correctly processed and invalid data is not used. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1000129", }, { category: "external", summary: "RHBZ#1559317", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1559317", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1000129", url: "https://www.cve.org/CVERecord?id=CVE-2018-1000129", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1000129", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1000129", }, { category: "external", summary: "https://jolokia.org/#Security_fixes_with_1.5.0", url: "https://jolokia.org/#Security_fixes_with_1.5.0", }, ], release_date: "2018-02-08T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jolokia: Cross site scripting in the HTTP servlet", }, { cve: "CVE-2018-1000130", cwe: { id: "CWE-99", name: "Improper Control of Resource Identifiers ('Resource Injection')", }, discovery_date: "2018-03-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1559316", }, ], notes: [ { category: "description", text: "A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server.", title: "Vulnerability description", }, { category: "summary", text: "jolokia: JMX proxy mode vulnerable to remote code execution", title: "Vulnerability summary", }, { category: "other", text: "For Red Hat OpenStack Platform, although the affected code is present in shipped packages, proxy mode is not enabled by default and the affected code is not used in any supported configuration of Red Hat OpenStack Platform. For this reason, the RHOSP impact as been reduced to Low and this issue is not currently planned to be addressed in future updates.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1000130", }, { category: "external", summary: "RHBZ#1559316", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1559316", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1000130", url: "https://www.cve.org/CVERecord?id=CVE-2018-1000130", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1000130", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1000130", }, { category: "external", summary: "https://jolokia.org/#Security_fixes_with_1.5.0", url: "https://jolokia.org/#Security_fixes_with_1.5.0", }, ], release_date: "2018-02-08T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jolokia: JMX proxy mode vulnerable to remote code execution", }, { cve: "CVE-2018-1000180", cwe: { id: "CWE-325", name: "Missing Cryptographic Step", }, discovery_date: "2018-06-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1588306", }, ], notes: [ { category: "description", text: "A vulnerability was found in BouncyCastle. The number of iterations of the Miller-Rabin primality test was incorrectly calculated (according to FIPS 186-4 C.3). Under some circumstances, this could lead to the generation of weak RSA key pairs.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: flaw in the low-level interface to RSA key pair generator", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.\n\nRed Hat Satellite 6.5 isn't vulnerable to this issue, since it doesn't ship bouncycastle jar file anymore.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-1000180", }, { category: "external", summary: "RHBZ#1588306", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1588306", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-1000180", url: "https://www.cve.org/CVERecord?id=CVE-2018-1000180", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-1000180", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-1000180", }, ], release_date: "2018-04-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-09-11T07:53:47+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Fuse 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:2669", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Fuse 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: flaw in the low-level interface to RSA key pair generator", }, ], }
rhsa-2014:0498
Vulnerability from csaf_redhat
Published
2014-05-14 18:06
Modified
2024-11-22 07:57
Summary
Red Hat Security Advisory: Fuse ESB Enterprise 7.1.0 security update
Notes
Topic
Fuse ESB Enterprise 7.1.0 R1 P4 (Patch 4 on Rollup Patch 1), a security
update that addresses one security issue, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Details
Fuse ESB Enterprise is an integration platform based on Apache ServiceMix.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method.
A remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
Refer to the readme.txt file included with the patch files for
installation instructions.
All users of Fuse ESB Enterprise 7.1.0 as provided from the Red Hat
Customer Portal are advised to apply this security update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Fuse ESB Enterprise 7.1.0 R1 P4 (Patch 4 on Rollup Patch 1), a security\nupdate that addresses one security issue, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.", title: "Topic", }, { category: "general", text: "Fuse ESB Enterprise is an integration platform based on Apache ServiceMix.\n\nIt was found that the Struts 1 ActionForm object allowed access to the\n'class' parameter, which is directly mapped to the getClass() method.\nA remote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nRefer to the readme.txt file included with the patch files for\ninstallation instructions.\n\nAll users of Fuse ESB Enterprise 7.1.0 as provided from the Red Hat\nCustomer Portal are advised to apply this security update.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0498", url: "https://access.redhat.com/errata/RHSA-2014:0498", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise&downloadType=securityPatches&version=7.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise&downloadType=securityPatches&version=7.1.0", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0498.json", }, ], title: "Red Hat Security Advisory: Fuse ESB Enterprise 7.1.0 security update", tracking: { current_release_date: "2024-11-22T07:57:08+00:00", generator: { date: "2024-11-22T07:57:08+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2014:0498", initial_release_date: "2014-05-14T18:06:52+00:00", revision_history: [ { date: "2014-05-14T18:06:52+00:00", number: "1", summary: "Initial version", }, { date: "2014-05-14T18:06:52+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T07:57:08+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Fuse ESB Enterprise 7.1.0", product: { name: "Fuse ESB Enterprise 7.1.0", product_id: "Fuse ESB Enterprise 7.1.0", product_identification_helper: { cpe: "cpe:/a:redhat:fuse_esb_enterprise:7.1.0", }, }, }, ], category: "product_family", name: "Fuse Enterprise Middleware", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Fuse ESB Enterprise 7.1.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-05-14T18:06:52+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Fuse ESB Enterprise 7.1.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0498", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "Fuse ESB Enterprise 7.1.0", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Fuse ESB Enterprise 7.1.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, ], }
rhsa-2014_0511
Vulnerability from csaf_redhat
Published
2014-05-15 17:18
Modified
2024-12-08 10:41
Summary
Red Hat Security Advisory: Red Hat JBoss Operations Network 3.2.1 security update
Notes
Topic
An update for Red Hat JBoss Operations Network 3.2.1, which fixes two
security issues, is now available from the Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having
Important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Red Hat JBoss Operations Network is a middleware management solution that
provides a single point of control to deploy, manage, and monitor JBoss
Enterprise Middleware, applications, and services.
Apache Struts is a framework for building web applications with Java.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method. A
remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
It was found that when JBoss Web processed a series of HTTP requests in
which at least one request contained either multiple content-length
headers, or one content-length header with a chunked transfer-encoding
header, JBoss Web would incorrectly handle the request. A remote attacker
could use this flaw to poison a web cache, perform cross-site scripting
(XSS) attacks, or obtain sensitive information from other requests.
(CVE-2013-4286)
All users of JBoss Operations Network 3.2.1 as provided from the Red Hat
Customer Portal are advised to apply this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for Red Hat JBoss Operations Network 3.2.1, which fixes two\nsecurity issues, is now available from the Red Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Operations Network is a middleware management solution that\nprovides a single point of control to deploy, manage, and monitor JBoss\nEnterprise Middleware, applications, and services.\n\nApache Struts is a framework for building web applications with Java.\n\nIt was found that the Struts 1 ActionForm object allowed access to the\n'class' parameter, which is directly mapped to the getClass() method. A\nremote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nIt was found that when JBoss Web processed a series of HTTP requests in\nwhich at least one request contained either multiple content-length\nheaders, or one content-length header with a chunked transfer-encoding\nheader, JBoss Web would incorrectly handle the request. A remote attacker\ncould use this flaw to poison a web cache, perform cross-site scripting\n(XSS) attacks, or obtain sensitive information from other requests.\n(CVE-2013-4286)\n\nAll users of JBoss Operations Network 3.2.1 as provided from the Red Hat\nCustomer Portal are advised to apply this update.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2014:0511", url: "https://access.redhat.com/errata/RHSA-2014:0511", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=em&version=3.2.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=em&version=3.2.0", }, { category: "external", summary: "1069921", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1069921", }, { category: "external", summary: "1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0511.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Operations Network 3.2.1 security update", tracking: { current_release_date: "2024-12-08T10:41:45+00:00", generator: { date: "2024-12-08T10:41:45+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2014:0511", initial_release_date: "2014-05-15T17:18:12+00:00", revision_history: [ { date: "2014-05-15T17:18:12+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:33:11+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-08T10:41:45+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Operations Network 3.2", product: { name: "Red Hat JBoss Operations Network 3.2", product_id: "Red Hat JBoss Operations Network 3.2", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_operations_network:3.2.1", }, }, }, ], category: "product_family", name: "Red Hat JBoss Operations Network", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2013-4286", discovery_date: "2014-02-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1069921", }, ], notes: [ { category: "description", text: "It was found that when Tomcat / JBoss Web processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat / JBoss Web would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: multiple content-length header poisoning flaws", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Operations Network 3.2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2013-4286", }, { category: "external", summary: "RHBZ#1069921", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1069921", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2013-4286", url: "https://www.cve.org/CVERecord?id=CVE-2013-4286", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2013-4286", url: "https://nvd.nist.gov/vuln/detail/CVE-2013-4286", }, ], release_date: "2014-02-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-05-15T17:18:12+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Operations Network installation (including its databases,\napplications, configuration files, the JBoss Operations Network server's\nfile system directory, and so on).\n\nRefer to the \"Manual Instructions\" section of the release description,\navailable from the Customer Portal for this update, for installation\ninformation.", product_ids: [ "Red Hat JBoss Operations Network 3.2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0511", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "Red Hat JBoss Operations Network 3.2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: multiple content-length header poisoning flaws", }, { cve: "CVE-2014-0114", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2014-04-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1091938", }, ], notes: [ { category: "description", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "Vulnerability description", }, { category: "summary", text: "1: Class Loader manipulation via request parameters", title: "Vulnerability summary", }, { category: "other", text: "This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. The impact of this depends on which ClassLoader properties are exposed. Exploits that lead to remote code execution have been published. These exploits rely on ClassLoader properties that are exposed on Tomcat 8, which is not included in any supported Red Hat products. However, some Red Hat products that ship Struts 1 do expose ClassLoader properties that could potentially be exploited. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Operations Network 3.2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "RHBZ#1091938", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-0114", url: "https://www.cve.org/CVERecord?id=CVE-2014-0114", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, ], release_date: "2014-04-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2014-05-15T17:18:12+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Operations Network installation (including its databases,\napplications, configuration files, the JBoss Operations Network server's\nfile system directory, and so on).\n\nRefer to the \"Manual Instructions\" section of the release description,\navailable from the Customer Portal for this update, for installation\ninformation.", product_ids: [ "Red Hat JBoss Operations Network 3.2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2014:0511", }, { category: "workaround", details: "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.VCaGk3V53Ua", product_ids: [ "Red Hat JBoss Operations Network 3.2", ], }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, products: [ "Red Hat JBoss Operations Network 3.2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "1: Class Loader manipulation via request parameters", }, ], }
wid-sec-w-2023-0918
Vulnerability from csaf_certbund
Published
2014-05-06 22:00
Modified
2024-05-16 22:00
Summary
Apache Struts: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Struts ist ein Framework für Java-Anwendungen auf dem Webserver Apache.
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Struts ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuführen.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Struts ist ein Framework für Java-Anwendungen auf dem Webserver Apache.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Struts ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuführen.", title: "Angriff", }, { category: "general", text: "- Linux\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-0918 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2014/wid-sec-w-2023-0918.json", }, { category: "self", summary: "WID-SEC-2023-0918 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0918", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2014:0474-1 vom 2014-05-07", url: "https://rhn.redhat.com/errata/RHSA-2014-0474.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2014:0497-1 vom 2014-05-14", url: "https://rhn.redhat.com/errata/RHSA-2014-0497.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2014:0498-1 vom 2014-05-14", url: "https://rhn.redhat.com/errata/RHSA-2014-0498.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2014:0500-1 vom 2014-05-14", url: "https://rhn.redhat.com/errata/RHSA-2014-0500.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2014:0511-1 vom 2014-05-15", url: "https://rhn.redhat.com/errata/RHSA-2014-0511.html", }, { category: "external", summary: "SUSE Security Update: Security Update für Struts", url: "http://lists.opensuse.org/opensuse-security-announce/2014-07/msg00008.html", }, { category: "external", summary: "Debian Security Advisory DSA-2940-1 vom 2014-08-21", url: "https://www.debian.org/security/2014/dsa-2940", }, { category: "external", summary: "Oracle Critical Patch Update Advisory Appendix Retail Applications vom 2014-10-14", url: "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixRAPP", }, { category: "external", summary: "HP Security Bulletin c04473828 vom 2014-10-14", url: "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04473828", }, { category: "external", summary: "HP Security Bulletin HPSBGN03669 vom 2016-11-07", url: "https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05324755", }, { category: "external", summary: "NetApp Advisory Number NTAP-20140911-0001 vom 2017-04-06", url: "https://kb.netapp.com/support/s/article/ka51A00000007QFQAY/apache-struts-class-suppression-vulnerability-in-select-netapp-products?language=en_US", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2019:2995 vom 2019-10-10", url: "https://access.redhat.com/errata/RHSA-2019:2995", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2020-0194 vom 2020-04-24", url: "https://oss.oracle.com/pipermail/el-errata/2020-January/009538.html", }, { category: "external", summary: "IBM Security Bulletin 6982881 vom 2023-04-12", url: "https://www.ibm.com/support/pages/node/6982881", }, { category: "external", summary: "IBM Security Bulletin 7153639 vom 2024-05-17", url: "https://www.ibm.com/support/pages/node/7153639", }, ], source_lang: "en-US", title: "Apache Struts: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes", tracking: { current_release_date: "2024-05-16T22:00:00.000+00:00", generator: { date: "2024-08-15T17:48:28.762+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-0918", initial_release_date: "2014-05-06T22:00:00.000+00:00", revision_history: [ { date: "2014-05-06T22:00:00.000+00:00", number: "1", summary: "Initial Release", }, { date: "2014-05-06T22:00:00.000+00:00", number: "2", summary: "Version nicht vorhanden", }, { date: "2014-05-06T22:00:00.000+00:00", number: "3", summary: "Version nicht vorhanden", }, { date: "2014-05-06T22:00:00.000+00:00", number: "4", summary: "Version nicht vorhanden", }, { date: "2014-05-15T22:00:00.000+00:00", number: "5", summary: "New remediations available", }, { date: "2014-05-15T22:00:00.000+00:00", number: "6", summary: "Version nicht vorhanden", }, { date: "2014-07-15T22:00:00.000+00:00", number: "7", summary: "New remediations available", }, { date: "2014-07-15T22:00:00.000+00:00", number: "8", summary: "Version nicht vorhanden", }, { date: "2014-08-21T22:00:00.000+00:00", number: "9", summary: "New remediations available", }, { date: "2014-08-21T22:00:00.000+00:00", number: "10", summary: "Version nicht vorhanden", }, { date: "2014-08-21T22:00:00.000+00:00", number: "11", summary: "Version nicht vorhanden", }, { date: "2014-08-21T22:00:00.000+00:00", number: "12", summary: "Version nicht vorhanden", }, { date: "2014-08-21T22:00:00.000+00:00", number: "13", summary: "Version nicht vorhanden", }, { date: "2016-11-06T23:00:00.000+00:00", number: "14", summary: "New remediations available", }, { date: "2016-11-06T23:00:00.000+00:00", number: "15", summary: "Version nicht vorhanden", }, { date: "2017-04-06T22:00:00.000+00:00", number: "16", summary: "n", }, { date: "2017-04-06T22:00:00.000+00:00", number: "17", summary: "Version nicht vorhanden", }, { date: "2019-10-09T22:00:00.000+00:00", number: "18", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-04-23T22:00:00.000+00:00", number: "19", summary: "Neue Updates von Oracle Linux aufgenommen", }, { date: "2023-04-11T22:00:00.000+00:00", number: "20", summary: "Neue Updates von IBM aufgenommen", }, { date: "2024-05-16T22:00:00.000+00:00", number: "21", summary: "Neue Updates von IBM aufgenommen", }, ], status: "final", version: "21", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "1", product: { name: "Apache Struts 1", product_id: "T003109", product_identification_helper: { cpe: "cpe:/a:apache:struts:1", }, }, }, ], category: "product_name", name: "Struts", }, ], category: "vendor", name: "Apache", }, { branches: [ { category: "product_name", name: "Debian Linux Wheezy (7.0)", product: { name: "Debian Linux Wheezy (7.0)", product_id: "T001572", product_identification_helper: { cpe: "cpe:/o:debian:debian_linux:7.0", }, }, }, ], category: "vendor", name: "Debian", }, { branches: [ { category: "product_name", name: "HPE SiteScope", product: { name: "HPE SiteScope", product_id: "T008871", product_identification_helper: { cpe: "cpe:/a:hp:sitescope:-", }, }, }, { category: "product_name", name: "HPE XP P9000 Command View Advanced Edition", product: { name: "HPE XP P9000 Command View Advanced Edition", product_id: "T004073", product_identification_helper: { cpe: "cpe:/a:hp:xp_p9000_command_view_advanced_edition:-", }, }, }, ], category: "vendor", name: "HPE", }, { branches: [ { branches: [ { category: "product_version", name: "8.1", product: { name: "IBM Operational Decision Manager 8.10", product_id: "T013722", product_identification_helper: { cpe: "cpe:/a:ibm:operational_decision_manager:8.10", }, }, }, { category: "product_version", name: "8.11", product: { name: "IBM Operational Decision Manager 8.11", product_id: "T022173", product_identification_helper: { cpe: "cpe:/a:ibm:operational_decision_manager:8.11", }, }, }, ], category: "product_name", name: "Operational Decision Manager", }, ], category: "vendor", name: "IBM", }, { branches: [ { category: "product_name", name: "NetApp OnCommand Unified Manager", product: { name: "NetApp OnCommand Unified Manager", product_id: "T009408", product_identification_helper: { cpe: "cpe:/a:netapp:oncommand_unified_manager:-", }, }, }, ], category: "vendor", name: "NetApp", }, { branches: [ { category: "product_name", name: "Oracle Linux", product: { name: "Oracle Linux", product_id: "T004914", product_identification_helper: { cpe: "cpe:/o:oracle:linux:-", }, }, }, { category: "product_name", name: "Oracle Primavera", product: { name: "Oracle Primavera", product_id: "T001021", product_identification_helper: { cpe: "cpe:/a:oracle:primavera_portfolio_management:7.0", }, }, }, { branches: [ { category: "product_version", name: "10", product: { name: "Oracle Retail Allocation 10.0", product_id: "T003997", product_identification_helper: { cpe: "cpe:/a:oracle:retail_allocation:10.0", }, }, }, { category: "product_version", name: "11", product: { name: "Oracle Retail Allocation 11.0", product_id: "T003998", product_identification_helper: { cpe: "cpe:/a:oracle:retail_allocation:11.0", }, }, }, { category: "product_version", name: "12", product: { name: "Oracle Retail Allocation 12.0", product_id: "T003999", product_identification_helper: { cpe: "cpe:/a:oracle:retail_allocation:12.0", }, }, }, { category: "product_version", name: "13", product: { name: "Oracle Retail Allocation 13.0", product_id: "T004000", product_identification_helper: { cpe: "cpe:/a:oracle:retail_allocation:13.0", }, }, }, { category: "product_version", name: "13.1", product: { name: "Oracle Retail Allocation 13.1", product_id: "T004001", product_identification_helper: { cpe: "cpe:/a:oracle:retail_allocation:13.1", }, }, }, { category: "product_version", name: "13.2", product: { name: "Oracle Retail Allocation 13.2", product_id: "T004012", product_identification_helper: { cpe: "cpe:/a:oracle:retail_allocation:13.2", }, }, }, ], category: "product_name", name: "Retail Allocation", }, { branches: [ { category: "product_version", name: "13.3", product: { name: "Oracle Retail Clearance Optimization Engine 13.3", product_id: "T004002", product_identification_helper: { cpe: "cpe:/a:oracle:retail_clearance_optimization_engine:13.3", }, }, }, { category: "product_version", name: "13.4", product: { name: "Oracle Retail Clearance Optimization Engine 13.4", product_id: "T004003", product_identification_helper: { cpe: "cpe:/a:oracle:retail_clearance_optimization_engine:13.4", }, }, }, { category: "product_version", name: "14", product: { name: "Oracle Retail Clearance Optimization Engine 14.0", product_id: "T004004", product_identification_helper: { cpe: "cpe:/a:oracle:retail_clearance_optimization_engine:14.0", }, }, }, ], category: "product_name", name: "Retail Clearance Optimization Engine", }, { branches: [ { category: "product_version", name: "11", product: { name: "Oracle Retail Invoice Matching 11.0", product_id: "T001981", product_identification_helper: { cpe: "cpe:/a:oracle:retail_invoice_matching:11.0", }, }, }, { category: "product_version", name: "12", product: { name: "Oracle Retail Invoice Matching 12.0", product_id: "T001982", product_identification_helper: { cpe: "cpe:/a:oracle:retail_invoice_matching:12.0", }, }, }, { category: "product_version", name: "12.0 IN", product: { name: "Oracle Retail Invoice Matching 12.0 IN", product_id: "T001983", product_identification_helper: { cpe: "cpe:/a:oracle:retail_invoice_matching:12.0in", }, }, }, { category: "product_version", name: "12.1", product: { name: "Oracle Retail Invoice Matching 12.1", product_id: "T001984", product_identification_helper: { cpe: "cpe:/a:oracle:retail_invoice_matching:12.1", }, }, }, { category: "product_version", name: "13", product: { name: "Oracle Retail Invoice Matching 13.0", product_id: "T001985", product_identification_helper: { cpe: "cpe:/a:oracle:retail_invoice_matching:13.0", }, }, }, { category: "product_version", name: "13.2", product: { name: "Oracle Retail Invoice Matching 13.2", product_id: "T001987", product_identification_helper: { cpe: "cpe:/a:oracle:retail_invoice_matching:13.2", }, }, }, { category: "product_version", name: "14", product: { name: "Oracle Retail Invoice Matching 14.0", product_id: "T004005", product_identification_helper: { cpe: "cpe:/a:oracle:retail_invoice_matching:14.0", }, }, }, { category: "product_version", name: "13.1", product: { name: "Oracle Retail Markdown Optimization 13.1", product_id: "T004011", product_identification_helper: { cpe: "cpe:/a:oracle:retail_invoice_matching:13.1", }, }, }, ], category: "product_name", name: "Retail Invoice Matching", }, { branches: [ { category: "product_version", name: "12", product: { name: "Oracle Retail Markdown Optimization 12.0", product_id: "T004006", product_identification_helper: { cpe: "cpe:/a:oracle:retail_markdown_optimization:12.0", }, }, }, { category: "product_version", name: "13", product: { name: "Oracle Retail Markdown Optimization 13.0", product_id: "T004007", product_identification_helper: { cpe: "cpe:/a:oracle:retail_markdown_optimization:13.0", }, }, }, { category: "product_version", name: "13.2", product: { name: "Oracle Retail Markdown Optimization 13.2", product_id: "T004009", product_identification_helper: { cpe: "cpe:/a:oracle:retail_markdown_optimization:13.2", }, }, }, { category: "product_version", name: "13.4", product: { name: "Oracle Retail Markdown Optimization 13.4", product_id: "T004010", product_identification_helper: { cpe: "cpe:/a:oracle:retail_markdown_optimization:13.4", }, }, }, ], category: "product_name", name: "Retail Markdown Optimization", }, ], category: "vendor", name: "Oracle", }, { branches: [ { branches: [ { category: "product_version", name: "5", product: { name: "Red Hat Enterprise Linux 5", product_id: "74289", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:5::server", }, }, }, ], category: "product_name", name: "Enterprise Linux", }, { branches: [ { category: "product_version", name: "5", product: { name: "Red Hat Enterprise Linux Desktop 5", product_id: "T002352", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux_desktop:5:client", }, }, }, ], category: "product_name", name: "Enterprise Linux Desktop", }, { category: "product_name", name: "Red Hat JBoss Fuse", product: { name: "Red Hat JBoss Fuse", product_id: "T003086", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:-", }, }, }, { category: "product_name", name: "Red Hat Network Satellite Server", product: { name: "Red Hat Network Satellite Server", product_id: "9603", product_identification_helper: { cpe: "cpe:/h:redhat:network_satelite_server:-", }, }, }, ], category: "vendor", name: "Red Hat", }, { branches: [ { category: "product_name", name: "SUSE Linux", product: { name: "SUSE Linux", product_id: "T002207", product_identification_helper: { cpe: "cpe:/o:suse:suse_linux:-", }, }, }, ], category: "vendor", name: "SUSE", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", notes: [ { category: "description", text: "In Apache Struts besteht eine Schwachstelle, welche zur entfernten Codeausführung ausgenutzt werden kann. Diese Schwachstelle wird durch eine unzureichende Zugriffsbeschränkung auf den \"class\" Parameter im \"ActionForm\" Objekt verursacht. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Code mit den Rechten des Dienstes auszuführen.", }, ], product_status: { known_affected: [ "T004011", "T004012", "T009408", "T013722", "T003109", "T004914", "T001987", "T001985", "T001984", "T001983", "T001982", "T001981", "T004073", "T008871", "T001021", "T002352", "T003086", "T004010", "T004000", "T004001", "T004002", "T004003", "T004004", "T004005", "T004006", "T004007", "T003997", "74289", "T003998", "T004009", "T003999", "T002207", "9603", "T001572", "T022173", ], }, release_date: "2014-05-06T22:00:00.000+00:00", title: "CVE-2014-0114", }, ], }
wid-sec-w-2024-1277
Vulnerability from csaf_certbund
Published
2017-04-18 22:00
Modified
2024-11-11 23:00
Summary
Oracle Fusion Middleware: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Fusion Middleware bündelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um dadurch die Integrität, Vertraulichkeit und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{ document: { aggregate_severity: { text: "kritisch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Fusion Middleware bündelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um dadurch die Integrität, Vertraulichkeit und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- Linux\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-1277 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2017/wid-sec-w-2024-1277.json", }, { category: "self", summary: "WID-SEC-2024-1277 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1277", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - April 2017 - Oracle Fusion Middleware vom 2017-04-18", url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixFMW", }, { category: "external", summary: "CISA Known Exploited Vulnerabilities Catalog vom 2024-06-03", url: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, ], source_lang: "en-US", title: "Oracle Fusion Middleware: Mehrere Schwachstellen", tracking: { current_release_date: "2024-11-11T23:00:00.000+00:00", generator: { date: "2024-11-12T10:06:32.931+00:00", engine: { name: "BSI-WID", version: "1.3.8", }, }, id: "WID-SEC-W-2024-1277", initial_release_date: "2017-04-18T22:00:00.000+00:00", revision_history: [ { date: "2017-04-18T22:00:00.000+00:00", number: "1", summary: "Initial Release", }, { date: "2017-04-18T22:00:00.000+00:00", number: "2", summary: "n", }, { date: "2017-04-18T22:00:00.000+00:00", number: "3", summary: "Version nicht vorhanden", }, { date: "2024-06-03T22:00:00.000+00:00", number: "4", summary: "Aktive Ausnutzung gemeldet", }, { date: "2024-11-11T23:00:00.000+00:00", number: "5", summary: "Korrektur", }, ], status: "final", version: "5", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "Oracle Fusion Middleware", product: { name: "Oracle Fusion Middleware", product_id: "T006198", product_identification_helper: { cpe: "cpe:/a:oracle:fusion_middleware:-", }, }, }, { category: "product_name", name: "Oracle WebCenter Sites", product: { name: "Oracle WebCenter Sites", product_id: "T009734", product_identification_helper: { cpe: "cpe:/a:oracle:webcenter_sites:-", }, }, }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2012-1007", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2012-1007", }, { cve: "CVE-2014-0114", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2014-0114", }, { cve: "CVE-2015-5351", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2015-5351", }, { cve: "CVE-2015-7501", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2015-7501", }, { cve: "CVE-2016-0706", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-0706", }, { cve: "CVE-2016-0714", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-0714", }, { cve: "CVE-2016-0763", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-0763", }, { cve: "CVE-2016-1181", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-1181", }, { cve: "CVE-2016-1182", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-1182", }, { cve: "CVE-2016-2177", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-2177", }, { cve: "CVE-2016-2178", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-2178", }, { cve: "CVE-2016-2179", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-2179", }, { cve: "CVE-2016-2180", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-2180", }, { cve: "CVE-2016-2181", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-2181", }, { cve: "CVE-2016-2182", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-2182", }, { cve: "CVE-2016-2183", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-2183", }, { cve: "CVE-2016-6302", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-6302", }, { cve: "CVE-2016-6303", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-6303", }, { cve: "CVE-2016-6304", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-6304", }, { cve: "CVE-2016-6305", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-6305", }, { cve: "CVE-2016-6306", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-6306", }, { cve: "CVE-2016-6307", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-6307", }, { cve: "CVE-2016-6308", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-6308", }, { cve: "CVE-2016-6309", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-6309", }, { cve: "CVE-2016-7052", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2016-7052", }, { cve: "CVE-2017-3230", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3230", }, { cve: "CVE-2017-3499", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3499", }, { cve: "CVE-2017-3506", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3506", }, { cve: "CVE-2017-3507", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3507", }, { cve: "CVE-2017-3531", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3531", }, { cve: "CVE-2017-3540", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3540", }, { cve: "CVE-2017-3541", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3541", }, { cve: "CVE-2017-3542", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3542", }, { cve: "CVE-2017-3543", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3543", }, { cve: "CVE-2017-3545", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3545", }, { cve: "CVE-2017-3553", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3553", }, { cve: "CVE-2017-3554", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3554", }, { cve: "CVE-2017-3591", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3591", }, { cve: "CVE-2017-3593", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3593", }, { cve: "CVE-2017-3594", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3594", }, { cve: "CVE-2017-3595", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3595", }, { cve: "CVE-2017-3596", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3596", }, { cve: "CVE-2017-3597", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3597", }, { cve: "CVE-2017-3598", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3598", }, { cve: "CVE-2017-3601", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3601", }, { cve: "CVE-2017-3602", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3602", }, { cve: "CVE-2017-3603", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3603", }, { cve: "CVE-2017-3625", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3625", }, { cve: "CVE-2017-3626", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-3626", }, { cve: "CVE-2017-5638", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere nicht näher beschriebene Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Integrity\", \"Confidentiality\" und \"Availability\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T009734", "T006198", ], }, release_date: "2017-04-18T22:00:00.000+00:00", title: "CVE-2017-5638", }, ], }
WID-SEC-W-2022-0770
Vulnerability from csaf_certbund
Published
2020-04-23 22:00
Modified
2024-05-16 22:00
Summary
IBM DB2: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM DB2 ausnutzen, um seine Privilegien zu erhöhen oder einen Denial of Service zu verursachen
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM DB2 ausnutzen, um seine Privilegien zu erhöhen oder einen Denial of Service zu verursachen", title: "Angriff", }, { category: "general", text: "- Linux\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2022-0770 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2022-0770.json", }, { category: "self", summary: "WID-SEC-2022-0770 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0770", }, { category: "external", summary: "IBM Security Bulletin 6198380 vom 2020-04-23", url: "https://www.ibm.com/support/pages/node/6198380", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:2603 vom 2020-06-17", url: "https://access.redhat.com/errata/RHSA-2020:2603", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:4807 vom 2020-11-04", url: "https://access.redhat.com/errata/RHSA-2020:4807", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2021:3225 vom 2021-08-20", url: "https://access.redhat.com/errata/RHSA-2021:3225", }, { category: "external", summary: "Hitachi Vulnerability Information HITACHI-SEC-2022-115 vom 2022-05-27", url: "https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2022-115/index.html", }, { category: "external", summary: "IBM Security Bulletin 6605881 vom 2022-07-21", url: "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-have-been-identified-in-ibm-db2-shipped-with-ibm-puredata-system-for-operational-analytics/", }, { category: "external", summary: "Dell Security Advisory DSA-2024-070 vom 2024-02-03", url: "https://www.dell.com/support/kbdoc/000221770/dsa-2024-=", }, { category: "external", summary: "Hitachi Vulnerability Information HITACHI-SEC-2023-144 vom 2023-10-03", url: "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-144/index.html", }, { category: "external", summary: "IBM Security Bulletin 7153639 vom 2024-05-17", url: "https://www.ibm.com/support/pages/node/7153639", }, ], source_lang: "en-US", title: "IBM DB2: Mehrere Schwachstellen", tracking: { current_release_date: "2024-05-16T22:00:00.000+00:00", generator: { date: "2024-08-15T17:32:05.856+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2022-0770", initial_release_date: "2020-04-23T22:00:00.000+00:00", revision_history: [ { date: "2020-04-23T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2020-06-17T22:00:00.000+00:00", number: "2", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-11-03T23:00:00.000+00:00", number: "3", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2021-08-19T22:00:00.000+00:00", number: "4", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2022-05-26T22:00:00.000+00:00", number: "5", summary: "Neue Updates von HITACHI aufgenommen", }, { date: "2022-07-20T22:00:00.000+00:00", number: "6", summary: "Neue Updates von IBM aufgenommen", }, { date: "2023-10-03T22:00:00.000+00:00", number: "7", summary: "Neue Updates von HITACHI aufgenommen", }, { date: "2024-02-04T23:00:00.000+00:00", number: "8", summary: "Neue Updates von Dell aufgenommen", }, { date: "2024-05-16T22:00:00.000+00:00", number: "9", summary: "Neue Updates von IBM aufgenommen", }, ], status: "final", version: "9", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "EMC Avamar", product: { name: "EMC Avamar", product_id: "T014381", product_identification_helper: { cpe: "cpe:/a:emc:avamar:-", }, }, }, ], category: "vendor", name: "EMC", }, { branches: [ { branches: [ { category: "product_name", name: "Hitachi Ops Center", product: { name: "Hitachi Ops Center", product_id: "T017562", product_identification_helper: { cpe: "cpe:/a:hitachi:ops_center:-", }, }, }, { category: "product_version_range", name: "<Analyzer 10.9.3-00", product: { name: "Hitachi Ops Center <Analyzer 10.9.3-00", product_id: "T030196", }, }, { category: "product_version_range", name: "<Viewpoint 10.9.3-00", product: { name: "Hitachi Ops Center <Viewpoint 10.9.3-00", product_id: "T030197", }, }, ], category: "product_name", name: "Ops Center", }, ], category: "vendor", name: "Hitachi", }, { branches: [ { branches: [ { category: "product_version", name: "11.1", product: { name: "IBM DB2 11.1", product_id: "342000", product_identification_helper: { cpe: "cpe:/a:ibm:db2:11.1", }, }, }, { category: "product_version", name: "11.5", product: { name: "IBM DB2 11.5", product_id: "695419", product_identification_helper: { cpe: "cpe:/a:ibm:db2:11.5", }, }, }, ], category: "product_name", name: "DB2", }, ], category: "vendor", name: "IBM", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2009-0001", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2009-0001", }, { cve: "CVE-2014-0114", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2014-0114", }, { cve: "CVE-2014-0193", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2014-0193", }, { cve: "CVE-2014-3488", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2014-3488", }, { cve: "CVE-2015-2156", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2015-2156", }, { cve: "CVE-2016-2402", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2016-2402", }, { cve: "CVE-2017-12972", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2017-12972", }, { cve: "CVE-2017-12973", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2017-12973", }, { cve: "CVE-2017-12974", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2017-12974", }, { cve: "CVE-2017-18640", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2017-18640", }, { cve: "CVE-2017-3734", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2017-3734", }, { cve: "CVE-2017-5637", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2017-5637", }, { cve: "CVE-2018-10237", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2018-10237", }, { cve: "CVE-2018-11771", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2018-11771", }, { cve: "CVE-2018-8009", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2018-8009", }, { cve: "CVE-2018-8012", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2018-8012", }, { cve: "CVE-2019-0201", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-0201", }, { cve: "CVE-2019-10086", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-10086", }, { cve: "CVE-2019-10172", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-10172", }, { cve: "CVE-2019-10202", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-10202", }, { cve: "CVE-2019-12402", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-12402", }, { cve: "CVE-2019-16869", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-16869", }, { cve: "CVE-2019-17195", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-17195", }, { cve: "CVE-2019-17571", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-17571", }, { cve: "CVE-2019-9512", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-9512", }, { cve: "CVE-2019-9514", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-9514", }, { cve: "CVE-2019-9515", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-9515", }, { cve: "CVE-2019-9518", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-9518", }, ], }
WID-SEC-W-2023-0918
Vulnerability from csaf_certbund
Published
2014-05-06 22:00
Modified
2024-05-16 22:00
Summary
Apache Struts: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Struts ist ein Framework für Java-Anwendungen auf dem Webserver Apache.
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Struts ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuführen.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Struts ist ein Framework für Java-Anwendungen auf dem Webserver Apache.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Struts ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuführen.", title: "Angriff", }, { category: "general", text: "- Linux\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-0918 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2014/wid-sec-w-2023-0918.json", }, { category: "self", summary: "WID-SEC-2023-0918 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0918", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2014:0474-1 vom 2014-05-07", url: "https://rhn.redhat.com/errata/RHSA-2014-0474.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2014:0497-1 vom 2014-05-14", url: "https://rhn.redhat.com/errata/RHSA-2014-0497.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2014:0498-1 vom 2014-05-14", url: "https://rhn.redhat.com/errata/RHSA-2014-0498.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2014:0500-1 vom 2014-05-14", url: "https://rhn.redhat.com/errata/RHSA-2014-0500.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2014:0511-1 vom 2014-05-15", url: "https://rhn.redhat.com/errata/RHSA-2014-0511.html", }, { category: "external", summary: "SUSE Security Update: Security Update für Struts", url: "http://lists.opensuse.org/opensuse-security-announce/2014-07/msg00008.html", }, { category: "external", summary: "Debian Security Advisory DSA-2940-1 vom 2014-08-21", url: "https://www.debian.org/security/2014/dsa-2940", }, { category: "external", summary: "Oracle Critical Patch Update Advisory Appendix Retail Applications vom 2014-10-14", url: "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixRAPP", }, { category: "external", summary: "HP Security Bulletin c04473828 vom 2014-10-14", url: "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04473828", }, { category: "external", summary: "HP Security Bulletin HPSBGN03669 vom 2016-11-07", url: "https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05324755", }, { category: "external", summary: "NetApp Advisory Number NTAP-20140911-0001 vom 2017-04-06", url: "https://kb.netapp.com/support/s/article/ka51A00000007QFQAY/apache-struts-class-suppression-vulnerability-in-select-netapp-products?language=en_US", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2019:2995 vom 2019-10-10", url: "https://access.redhat.com/errata/RHSA-2019:2995", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2020-0194 vom 2020-04-24", url: "https://oss.oracle.com/pipermail/el-errata/2020-January/009538.html", }, { category: "external", summary: "IBM Security Bulletin 6982881 vom 2023-04-12", url: "https://www.ibm.com/support/pages/node/6982881", }, { category: "external", summary: "IBM Security Bulletin 7153639 vom 2024-05-17", url: "https://www.ibm.com/support/pages/node/7153639", }, ], source_lang: "en-US", title: "Apache Struts: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes", tracking: { current_release_date: "2024-05-16T22:00:00.000+00:00", generator: { date: "2024-08-15T17:48:28.762+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-0918", initial_release_date: "2014-05-06T22:00:00.000+00:00", revision_history: [ { date: "2014-05-06T22:00:00.000+00:00", number: "1", summary: "Initial Release", }, { date: "2014-05-06T22:00:00.000+00:00", number: "2", summary: "Version nicht vorhanden", }, { date: "2014-05-06T22:00:00.000+00:00", number: "3", summary: "Version nicht vorhanden", }, { date: "2014-05-06T22:00:00.000+00:00", number: "4", summary: "Version nicht vorhanden", }, { date: "2014-05-15T22:00:00.000+00:00", number: "5", summary: "New remediations available", }, { date: "2014-05-15T22:00:00.000+00:00", number: "6", summary: "Version nicht vorhanden", }, { date: "2014-07-15T22:00:00.000+00:00", number: "7", summary: "New remediations available", }, { date: "2014-07-15T22:00:00.000+00:00", number: "8", summary: "Version nicht vorhanden", }, { date: "2014-08-21T22:00:00.000+00:00", number: "9", summary: "New remediations available", }, { date: "2014-08-21T22:00:00.000+00:00", number: "10", summary: "Version nicht vorhanden", }, { date: "2014-08-21T22:00:00.000+00:00", number: "11", summary: "Version nicht vorhanden", }, { date: "2014-08-21T22:00:00.000+00:00", number: "12", summary: "Version nicht vorhanden", }, { date: "2014-08-21T22:00:00.000+00:00", number: "13", summary: "Version nicht vorhanden", }, { date: "2016-11-06T23:00:00.000+00:00", number: "14", summary: "New remediations available", }, { date: "2016-11-06T23:00:00.000+00:00", number: "15", summary: "Version nicht vorhanden", }, { date: "2017-04-06T22:00:00.000+00:00", number: "16", summary: "n", }, { date: "2017-04-06T22:00:00.000+00:00", number: "17", summary: "Version nicht vorhanden", }, { date: "2019-10-09T22:00:00.000+00:00", number: "18", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-04-23T22:00:00.000+00:00", number: "19", summary: "Neue Updates von Oracle Linux aufgenommen", }, { date: "2023-04-11T22:00:00.000+00:00", number: "20", summary: "Neue Updates von IBM aufgenommen", }, { date: "2024-05-16T22:00:00.000+00:00", number: "21", summary: "Neue Updates von IBM aufgenommen", }, ], status: "final", version: "21", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "1", product: { name: "Apache Struts 1", product_id: "T003109", product_identification_helper: { cpe: "cpe:/a:apache:struts:1", }, }, }, ], category: "product_name", name: "Struts", }, ], category: "vendor", name: "Apache", }, { branches: [ { category: "product_name", name: "Debian Linux Wheezy (7.0)", product: { name: "Debian Linux Wheezy (7.0)", product_id: "T001572", product_identification_helper: { cpe: "cpe:/o:debian:debian_linux:7.0", }, }, }, ], category: "vendor", name: "Debian", }, { branches: [ { category: "product_name", name: "HPE SiteScope", product: { name: "HPE SiteScope", product_id: "T008871", product_identification_helper: { cpe: "cpe:/a:hp:sitescope:-", }, }, }, { category: "product_name", name: "HPE XP P9000 Command View Advanced Edition", product: { name: "HPE XP P9000 Command View Advanced Edition", product_id: "T004073", product_identification_helper: { cpe: "cpe:/a:hp:xp_p9000_command_view_advanced_edition:-", }, }, }, ], category: "vendor", name: "HPE", }, { branches: [ { branches: [ { category: "product_version", name: "8.1", product: { name: "IBM Operational Decision Manager 8.10", product_id: "T013722", product_identification_helper: { cpe: "cpe:/a:ibm:operational_decision_manager:8.10", }, }, }, { category: "product_version", name: "8.11", product: { name: "IBM Operational Decision Manager 8.11", product_id: "T022173", product_identification_helper: { cpe: "cpe:/a:ibm:operational_decision_manager:8.11", }, }, }, ], category: "product_name", name: "Operational Decision Manager", }, ], category: "vendor", name: "IBM", }, { branches: [ { category: "product_name", name: "NetApp OnCommand Unified Manager", product: { name: "NetApp OnCommand Unified Manager", product_id: "T009408", product_identification_helper: { cpe: "cpe:/a:netapp:oncommand_unified_manager:-", }, }, }, ], category: "vendor", name: "NetApp", }, { branches: [ { category: "product_name", name: "Oracle Linux", product: { name: "Oracle Linux", product_id: "T004914", product_identification_helper: { cpe: "cpe:/o:oracle:linux:-", }, }, }, { category: "product_name", name: "Oracle Primavera", product: { name: "Oracle Primavera", product_id: "T001021", product_identification_helper: { cpe: "cpe:/a:oracle:primavera_portfolio_management:7.0", }, }, }, { branches: [ { category: "product_version", name: "10", product: { name: "Oracle Retail Allocation 10.0", product_id: "T003997", product_identification_helper: { cpe: "cpe:/a:oracle:retail_allocation:10.0", }, }, }, { category: "product_version", name: "11", product: { name: "Oracle Retail Allocation 11.0", product_id: "T003998", product_identification_helper: { cpe: "cpe:/a:oracle:retail_allocation:11.0", }, }, }, { category: "product_version", name: "12", product: { name: "Oracle Retail Allocation 12.0", product_id: "T003999", product_identification_helper: { cpe: "cpe:/a:oracle:retail_allocation:12.0", }, }, }, { category: "product_version", name: "13", product: { name: "Oracle Retail Allocation 13.0", product_id: "T004000", product_identification_helper: { cpe: "cpe:/a:oracle:retail_allocation:13.0", }, }, }, { category: "product_version", name: "13.1", product: { name: "Oracle Retail Allocation 13.1", product_id: "T004001", product_identification_helper: { cpe: "cpe:/a:oracle:retail_allocation:13.1", }, }, }, { category: "product_version", name: "13.2", product: { name: "Oracle Retail Allocation 13.2", product_id: "T004012", product_identification_helper: { cpe: "cpe:/a:oracle:retail_allocation:13.2", }, }, }, ], category: "product_name", name: "Retail Allocation", }, { branches: [ { category: "product_version", name: "13.3", product: { name: "Oracle Retail Clearance Optimization Engine 13.3", product_id: "T004002", product_identification_helper: { cpe: "cpe:/a:oracle:retail_clearance_optimization_engine:13.3", }, }, }, { category: "product_version", name: "13.4", product: { name: "Oracle Retail Clearance Optimization Engine 13.4", product_id: "T004003", product_identification_helper: { cpe: "cpe:/a:oracle:retail_clearance_optimization_engine:13.4", }, }, }, { category: "product_version", name: "14", product: { name: "Oracle Retail Clearance Optimization Engine 14.0", product_id: "T004004", product_identification_helper: { cpe: "cpe:/a:oracle:retail_clearance_optimization_engine:14.0", }, }, }, ], category: "product_name", name: "Retail Clearance Optimization Engine", }, { branches: [ { category: "product_version", name: "11", product: { name: "Oracle Retail Invoice Matching 11.0", product_id: "T001981", product_identification_helper: { cpe: "cpe:/a:oracle:retail_invoice_matching:11.0", }, }, }, { category: "product_version", name: "12", product: { name: "Oracle Retail Invoice Matching 12.0", product_id: "T001982", product_identification_helper: { cpe: "cpe:/a:oracle:retail_invoice_matching:12.0", }, }, }, { category: "product_version", name: "12.0 IN", product: { name: "Oracle Retail Invoice Matching 12.0 IN", product_id: "T001983", product_identification_helper: { cpe: "cpe:/a:oracle:retail_invoice_matching:12.0in", }, }, }, { category: "product_version", name: "12.1", product: { name: "Oracle Retail Invoice Matching 12.1", product_id: "T001984", product_identification_helper: { cpe: "cpe:/a:oracle:retail_invoice_matching:12.1", }, }, }, { category: "product_version", name: "13", product: { name: "Oracle Retail Invoice Matching 13.0", product_id: "T001985", product_identification_helper: { cpe: "cpe:/a:oracle:retail_invoice_matching:13.0", }, }, }, { category: "product_version", name: "13.2", product: { name: "Oracle Retail Invoice Matching 13.2", product_id: "T001987", product_identification_helper: { cpe: "cpe:/a:oracle:retail_invoice_matching:13.2", }, }, }, { category: "product_version", name: "14", product: { name: "Oracle Retail Invoice Matching 14.0", product_id: "T004005", product_identification_helper: { cpe: "cpe:/a:oracle:retail_invoice_matching:14.0", }, }, }, { category: "product_version", name: "13.1", product: { name: "Oracle Retail Markdown Optimization 13.1", product_id: "T004011", product_identification_helper: { cpe: "cpe:/a:oracle:retail_invoice_matching:13.1", }, }, }, ], category: "product_name", name: "Retail Invoice Matching", }, { branches: [ { category: "product_version", name: "12", product: { name: "Oracle Retail Markdown Optimization 12.0", product_id: "T004006", product_identification_helper: { cpe: "cpe:/a:oracle:retail_markdown_optimization:12.0", }, }, }, { category: "product_version", name: "13", product: { name: "Oracle Retail Markdown Optimization 13.0", product_id: "T004007", product_identification_helper: { cpe: "cpe:/a:oracle:retail_markdown_optimization:13.0", }, }, }, { category: "product_version", name: "13.2", product: { name: "Oracle Retail Markdown Optimization 13.2", product_id: "T004009", product_identification_helper: { cpe: "cpe:/a:oracle:retail_markdown_optimization:13.2", }, }, }, { category: "product_version", name: "13.4", product: { name: "Oracle Retail Markdown Optimization 13.4", product_id: "T004010", product_identification_helper: { cpe: "cpe:/a:oracle:retail_markdown_optimization:13.4", }, }, }, ], category: "product_name", name: "Retail Markdown Optimization", }, ], category: "vendor", name: "Oracle", }, { branches: [ { branches: [ { category: "product_version", name: "5", product: { name: "Red Hat Enterprise Linux 5", product_id: "74289", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:5::server", }, }, }, ], category: "product_name", name: "Enterprise Linux", }, { branches: [ { category: "product_version", name: "5", product: { name: "Red Hat Enterprise Linux Desktop 5", product_id: "T002352", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux_desktop:5:client", }, }, }, ], category: "product_name", name: "Enterprise Linux Desktop", }, { category: "product_name", name: "Red Hat JBoss Fuse", product: { name: "Red Hat JBoss Fuse", product_id: "T003086", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:-", }, }, }, { category: "product_name", name: "Red Hat Network Satellite Server", product: { name: "Red Hat Network Satellite Server", product_id: "9603", product_identification_helper: { cpe: "cpe:/h:redhat:network_satelite_server:-", }, }, }, ], category: "vendor", name: "Red Hat", }, { branches: [ { category: "product_name", name: "SUSE Linux", product: { name: "SUSE Linux", product_id: "T002207", product_identification_helper: { cpe: "cpe:/o:suse:suse_linux:-", }, }, }, ], category: "vendor", name: "SUSE", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", notes: [ { category: "description", text: "In Apache Struts besteht eine Schwachstelle, welche zur entfernten Codeausführung ausgenutzt werden kann. Diese Schwachstelle wird durch eine unzureichende Zugriffsbeschränkung auf den \"class\" Parameter im \"ActionForm\" Objekt verursacht. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Code mit den Rechten des Dienstes auszuführen.", }, ], product_status: { known_affected: [ "T004011", "T004012", "T009408", "T013722", "T003109", "T004914", "T001987", "T001985", "T001984", "T001983", "T001982", "T001981", "T004073", "T008871", "T001021", "T002352", "T003086", "T004010", "T004000", "T004001", "T004002", "T004003", "T004004", "T004005", "T004006", "T004007", "T003997", "74289", "T003998", "T004009", "T003999", "T002207", "9603", "T001572", "T022173", ], }, release_date: "2014-05-06T22:00:00.000+00:00", title: "CVE-2014-0114", }, ], }
WID-SEC-W-2022-1375
Vulnerability from csaf_certbund
Published
2022-09-11 22:00
Modified
2023-09-14 22:00
Summary
JFrog Artifactory: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
JFrog Artifactory ist eine universelle DevOps-Lösung.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen.
Betroffene Betriebssysteme
- UNIX
- Linux
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "JFrog Artifactory ist eine universelle DevOps-Lösung.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2022-1375 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-1375.json", }, { category: "self", summary: "WID-SEC-2022-1375 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1375", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:5165 vom 2023-09-14", url: "https://access.redhat.com/errata/RHSA-2023:5165", }, { category: "external", summary: "JFrog Fixed Security Vulnerabilities vom 2022-09-11", url: "https://www.jfrog.com/confluence/display/JFROG/Fixed+Security+Vulnerabilities", }, { category: "external", summary: "JFrog Fixed Security Vulnerabilities", url: "https://www.jfrog.com/confluence/display/JFROG/Fixed+Security+Vulnerabilities", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2022:6782 vom 2022-10-04", url: "https://access.redhat.com/errata/RHSA-2022:6782", }, { category: "external", summary: "Ubuntu Security Notice USN-5776-1 vom 2022-12-13", url: "https://ubuntu.com/security/notices/USN-5776-1", }, ], source_lang: "en-US", title: "JFrog Artifactory: Mehrere Schwachstellen", tracking: { current_release_date: "2023-09-14T22:00:00.000+00:00", generator: { date: "2024-08-15T17:34:59.214+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2022-1375", initial_release_date: "2022-09-11T22:00:00.000+00:00", revision_history: [ { date: "2022-09-11T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2022-10-03T22:00:00.000+00:00", number: "2", summary: "Neue Updates aufgenommen", }, { date: "2022-10-04T22:00:00.000+00:00", number: "3", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2022-12-12T23:00:00.000+00:00", number: "4", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2022-12-20T23:00:00.000+00:00", number: "5", summary: "Referenz(en) aufgenommen: FEDORA-2022-DB674BAFD9, FEDORA-2022-7E327A20BE", }, { date: "2023-09-14T22:00:00.000+00:00", number: "6", summary: "Neue Updates von Red Hat aufgenommen", }, ], status: "final", version: "6", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "JFrog Artifactory", product: { name: "JFrog Artifactory", product_id: "T024527", product_identification_helper: { cpe: "cpe:/a:jfrog:artifactory:-", }, }, }, { category: "product_name", name: "JFrog Artifactory < 7.46.3", product: { name: "JFrog Artifactory < 7.46.3", product_id: "T024764", product_identification_helper: { cpe: "cpe:/a:jfrog:artifactory:7.46.3", }, }, }, ], category: "product_name", name: "Artifactory", }, ], category: "vendor", name: "JFrog", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, ], category: "vendor", name: "Red Hat", }, { branches: [ { category: "product_name", name: "Ubuntu Linux", product: { name: "Ubuntu Linux", product_id: "T000126", product_identification_helper: { cpe: "cpe:/o:canonical:ubuntu_linux:-", }, }, }, ], category: "vendor", name: "Ubuntu", }, ], }, vulnerabilities: [ { cve: "CVE-2013-4517", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2013-4517", }, { cve: "CVE-2013-7285", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2013-7285", }, { cve: "CVE-2014-0107", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-0107", }, { cve: "CVE-2014-0114", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-0114", }, { cve: "CVE-2014-3577", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-3577", }, { cve: "CVE-2014-3623", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-3623", }, { cve: "CVE-2015-0227", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-0227", }, { cve: "CVE-2015-2575", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-2575", }, { cve: "CVE-2015-3253", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-3253", }, { cve: "CVE-2015-4852", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-4852", }, { cve: "CVE-2015-7940", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-7940", }, { cve: "CVE-2016-10750", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-10750", }, { cve: "CVE-2016-3092", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-3092", }, { cve: "CVE-2016-3674", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-3674", }, { cve: "CVE-2016-6501", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-6501", }, { cve: "CVE-2016-8735", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-8735", }, { cve: "CVE-2016-8745", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-8745", }, { cve: "CVE-2017-1000487", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-1000487", }, { cve: "CVE-2017-15095", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-15095", }, { cve: "CVE-2017-17485", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-17485", }, { cve: "CVE-2017-18214", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-18214", }, { cve: "CVE-2017-18640", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-18640", }, { cve: "CVE-2017-7525", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-7525", }, { cve: "CVE-2017-7657", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-7657", }, { cve: "CVE-2017-7957", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-7957", }, { cve: "CVE-2017-9506", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-9506", }, { cve: "CVE-2018-1000206", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2018-1000206", }, { cve: "CVE-2018-9116", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2018-9116", }, { cve: "CVE-2019-10219", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-10219", }, { cve: "CVE-2019-12402", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-12402", }, { cve: "CVE-2019-17359", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-17359", }, { cve: "CVE-2019-17571", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-17571", }, { cve: "CVE-2019-20104", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-20104", }, { cve: "CVE-2020-11996", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-11996", }, { cve: "CVE-2020-13934", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-13934", }, { cve: "CVE-2020-13935", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-13935", }, { cve: "CVE-2020-13949", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-13949", }, { cve: "CVE-2020-14340", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-14340", }, { cve: "CVE-2020-15586", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-15586", }, { cve: "CVE-2020-1745", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-1745", }, { cve: "CVE-2020-17521", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-17521", }, { cve: "CVE-2020-25649", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-25649", }, { cve: "CVE-2020-28500", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-28500", }, { cve: "CVE-2020-29582", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-29582", }, { cve: "CVE-2020-36518", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-36518", }, { cve: "CVE-2020-7226", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-7226", }, { cve: "CVE-2020-7692", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-7692", }, { cve: "CVE-2020-8203", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-8203", }, { cve: "CVE-2021-13936", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-13936", }, { cve: "CVE-2021-21290", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-21290", }, { cve: "CVE-2021-22060", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22060", }, { cve: "CVE-2021-22112", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22112", }, { cve: "CVE-2021-22119", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22119", }, { cve: "CVE-2021-22147", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22147", }, { cve: "CVE-2021-22148", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22148", }, { cve: "CVE-2021-22149", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22149", }, { cve: "CVE-2021-22573", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22573", }, { cve: "CVE-2021-23337", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-23337", }, { cve: "CVE-2021-25122", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-25122", }, { cve: "CVE-2021-26291", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-26291", }, { cve: "CVE-2021-27568", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-27568", }, { cve: "CVE-2021-29505", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-29505", }, { cve: "CVE-2021-30129", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-30129", }, { cve: "CVE-2021-33037", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-33037", }, { cve: "CVE-2021-35550", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35550", }, { cve: "CVE-2021-35556", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35556", }, { cve: "CVE-2021-35560", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35560", }, { cve: "CVE-2021-35561", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35561", }, { cve: "CVE-2021-35564", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35564", }, { cve: "CVE-2021-35565", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35565", }, { cve: "CVE-2021-35567", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35567", }, { cve: "CVE-2021-35578", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35578", }, { cve: "CVE-2021-35586", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35586", }, { cve: "CVE-2021-35588", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35588", }, { cve: "CVE-2021-35603", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35603", }, { cve: "CVE-2021-36374", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-36374", }, { cve: "CVE-2021-3765", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-3765", }, { cve: "CVE-2021-3807", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-3807", }, { cve: "CVE-2021-38561", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-38561", }, { cve: "CVE-2021-3859", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-3859", }, { cve: "CVE-2021-41090", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-41090", }, { cve: "CVE-2021-41091", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-41091", }, { cve: "CVE-2021-42340", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-42340", }, { cve: "CVE-2021-42550", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-42550", }, { cve: "CVE-2021-43797", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-43797", }, { cve: "CVE-2022-0536", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-0536", }, { cve: "CVE-2022-22963", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-22963", }, { cve: "CVE-2022-23632", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-23632", }, { cve: "CVE-2022-23648", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-23648", }, { cve: "CVE-2022-23806", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-23806", }, { cve: "CVE-2022-24769", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-24769", }, { cve: "CVE-2022-24823", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-24823", }, { cve: "CVE-2022-27191", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-27191", }, { cve: "CVE-2022-29153", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-29153", }, { cve: "CVE-2022-32212", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32212", }, { cve: "CVE-2022-32213", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32213", }, { cve: "CVE-2022-32214", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32214", }, { cve: "CVE-2022-32215", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32215", }, { cve: "CVE-2022-32223", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32223", }, ], }
wid-sec-w-2022-1375
Vulnerability from csaf_certbund
Published
2022-09-11 22:00
Modified
2023-09-14 22:00
Summary
JFrog Artifactory: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
JFrog Artifactory ist eine universelle DevOps-Lösung.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen.
Betroffene Betriebssysteme
- UNIX
- Linux
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "JFrog Artifactory ist eine universelle DevOps-Lösung.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2022-1375 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-1375.json", }, { category: "self", summary: "WID-SEC-2022-1375 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1375", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:5165 vom 2023-09-14", url: "https://access.redhat.com/errata/RHSA-2023:5165", }, { category: "external", summary: "JFrog Fixed Security Vulnerabilities vom 2022-09-11", url: "https://www.jfrog.com/confluence/display/JFROG/Fixed+Security+Vulnerabilities", }, { category: "external", summary: "JFrog Fixed Security Vulnerabilities", url: "https://www.jfrog.com/confluence/display/JFROG/Fixed+Security+Vulnerabilities", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2022:6782 vom 2022-10-04", url: "https://access.redhat.com/errata/RHSA-2022:6782", }, { category: "external", summary: "Ubuntu Security Notice USN-5776-1 vom 2022-12-13", url: "https://ubuntu.com/security/notices/USN-5776-1", }, ], source_lang: "en-US", title: "JFrog Artifactory: Mehrere Schwachstellen", tracking: { current_release_date: "2023-09-14T22:00:00.000+00:00", generator: { date: "2024-08-15T17:34:59.214+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2022-1375", initial_release_date: "2022-09-11T22:00:00.000+00:00", revision_history: [ { date: "2022-09-11T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2022-10-03T22:00:00.000+00:00", number: "2", summary: "Neue Updates aufgenommen", }, { date: "2022-10-04T22:00:00.000+00:00", number: "3", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2022-12-12T23:00:00.000+00:00", number: "4", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2022-12-20T23:00:00.000+00:00", number: "5", summary: "Referenz(en) aufgenommen: FEDORA-2022-DB674BAFD9, FEDORA-2022-7E327A20BE", }, { date: "2023-09-14T22:00:00.000+00:00", number: "6", summary: "Neue Updates von Red Hat aufgenommen", }, ], status: "final", version: "6", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "JFrog Artifactory", product: { name: "JFrog Artifactory", product_id: "T024527", product_identification_helper: { cpe: "cpe:/a:jfrog:artifactory:-", }, }, }, { category: "product_name", name: "JFrog Artifactory < 7.46.3", product: { name: "JFrog Artifactory < 7.46.3", product_id: "T024764", product_identification_helper: { cpe: "cpe:/a:jfrog:artifactory:7.46.3", }, }, }, ], category: "product_name", name: "Artifactory", }, ], category: "vendor", name: "JFrog", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, ], category: "vendor", name: "Red Hat", }, { branches: [ { category: "product_name", name: "Ubuntu Linux", product: { name: "Ubuntu Linux", product_id: "T000126", product_identification_helper: { cpe: "cpe:/o:canonical:ubuntu_linux:-", }, }, }, ], category: "vendor", name: "Ubuntu", }, ], }, vulnerabilities: [ { cve: "CVE-2013-4517", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2013-4517", }, { cve: "CVE-2013-7285", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2013-7285", }, { cve: "CVE-2014-0107", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-0107", }, { cve: "CVE-2014-0114", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-0114", }, { cve: "CVE-2014-3577", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-3577", }, { cve: "CVE-2014-3623", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2014-3623", }, { cve: "CVE-2015-0227", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-0227", }, { cve: "CVE-2015-2575", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-2575", }, { cve: "CVE-2015-3253", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-3253", }, { cve: "CVE-2015-4852", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-4852", }, { cve: "CVE-2015-7940", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2015-7940", }, { cve: "CVE-2016-10750", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-10750", }, { cve: "CVE-2016-3092", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-3092", }, { cve: "CVE-2016-3674", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-3674", }, { cve: "CVE-2016-6501", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-6501", }, { cve: "CVE-2016-8735", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-8735", }, { cve: "CVE-2016-8745", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2016-8745", }, { cve: "CVE-2017-1000487", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-1000487", }, { cve: "CVE-2017-15095", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-15095", }, { cve: "CVE-2017-17485", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-17485", }, { cve: "CVE-2017-18214", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-18214", }, { cve: "CVE-2017-18640", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-18640", }, { cve: "CVE-2017-7525", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-7525", }, { cve: "CVE-2017-7657", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-7657", }, { cve: "CVE-2017-7957", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-7957", }, { cve: "CVE-2017-9506", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2017-9506", }, { cve: "CVE-2018-1000206", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2018-1000206", }, { cve: "CVE-2018-9116", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2018-9116", }, { cve: "CVE-2019-10219", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-10219", }, { cve: "CVE-2019-12402", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-12402", }, { cve: "CVE-2019-17359", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-17359", }, { cve: "CVE-2019-17571", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-17571", }, { cve: "CVE-2019-20104", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2019-20104", }, { cve: "CVE-2020-11996", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-11996", }, { cve: "CVE-2020-13934", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-13934", }, { cve: "CVE-2020-13935", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-13935", }, { cve: "CVE-2020-13949", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-13949", }, { cve: "CVE-2020-14340", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-14340", }, { cve: "CVE-2020-15586", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-15586", }, { cve: "CVE-2020-1745", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-1745", }, { cve: "CVE-2020-17521", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-17521", }, { cve: "CVE-2020-25649", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-25649", }, { cve: "CVE-2020-28500", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-28500", }, { cve: "CVE-2020-29582", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-29582", }, { cve: "CVE-2020-36518", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-36518", }, { cve: "CVE-2020-7226", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-7226", }, { cve: "CVE-2020-7692", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-7692", }, { cve: "CVE-2020-8203", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2020-8203", }, { cve: "CVE-2021-13936", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-13936", }, { cve: "CVE-2021-21290", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-21290", }, { cve: "CVE-2021-22060", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22060", }, { cve: "CVE-2021-22112", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22112", }, { cve: "CVE-2021-22119", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22119", }, { cve: "CVE-2021-22147", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22147", }, { cve: "CVE-2021-22148", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22148", }, { cve: "CVE-2021-22149", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22149", }, { cve: "CVE-2021-22573", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-22573", }, { cve: "CVE-2021-23337", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-23337", }, { cve: "CVE-2021-25122", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-25122", }, { cve: "CVE-2021-26291", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-26291", }, { cve: "CVE-2021-27568", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-27568", }, { cve: "CVE-2021-29505", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-29505", }, { cve: "CVE-2021-30129", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-30129", }, { cve: "CVE-2021-33037", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-33037", }, { cve: "CVE-2021-35550", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35550", }, { cve: "CVE-2021-35556", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35556", }, { cve: "CVE-2021-35560", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35560", }, { cve: "CVE-2021-35561", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35561", }, { cve: "CVE-2021-35564", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35564", }, { cve: "CVE-2021-35565", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35565", }, { cve: "CVE-2021-35567", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35567", }, { cve: "CVE-2021-35578", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35578", }, { cve: "CVE-2021-35586", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35586", }, { cve: "CVE-2021-35588", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35588", }, { cve: "CVE-2021-35603", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-35603", }, { cve: "CVE-2021-36374", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-36374", }, { cve: "CVE-2021-3765", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-3765", }, { cve: "CVE-2021-3807", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-3807", }, { cve: "CVE-2021-38561", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-38561", }, { cve: "CVE-2021-3859", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-3859", }, { cve: "CVE-2021-41090", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-41090", }, { cve: "CVE-2021-41091", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-41091", }, { cve: "CVE-2021-42340", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-42340", }, { cve: "CVE-2021-42550", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-42550", }, { cve: "CVE-2021-43797", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2021-43797", }, { cve: "CVE-2022-0536", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-0536", }, { cve: "CVE-2022-22963", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-22963", }, { cve: "CVE-2022-23632", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-23632", }, { cve: "CVE-2022-23648", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-23648", }, { cve: "CVE-2022-23806", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-23806", }, { cve: "CVE-2022-24769", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-24769", }, { cve: "CVE-2022-24823", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-24823", }, { cve: "CVE-2022-27191", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-27191", }, { cve: "CVE-2022-29153", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-29153", }, { cve: "CVE-2022-32212", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32212", }, { cve: "CVE-2022-32213", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32213", }, { cve: "CVE-2022-32214", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32214", }, { cve: "CVE-2022-32215", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32215", }, { cve: "CVE-2022-32223", notes: [ { category: "description", text: "In JFrog Artifactory existieren Zahlreiche Schwachstellen in verschiedenen Komponenten von Drittanbietern. Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. Das erfolgreiche Ausnutzen einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erhöhte Rechte.", }, ], product_status: { known_affected: [ "T024527", "67646", "T000126", "T024764", ], }, release_date: "2022-09-11T22:00:00.000+00:00", title: "CVE-2022-32223", }, ], }
wid-sec-w-2022-0770
Vulnerability from csaf_certbund
Published
2020-04-23 22:00
Modified
2024-05-16 22:00
Summary
IBM DB2: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM DB2 ausnutzen, um seine Privilegien zu erhöhen oder einen Denial of Service zu verursachen
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM DB2 ausnutzen, um seine Privilegien zu erhöhen oder einen Denial of Service zu verursachen", title: "Angriff", }, { category: "general", text: "- Linux\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2022-0770 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2022-0770.json", }, { category: "self", summary: "WID-SEC-2022-0770 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0770", }, { category: "external", summary: "IBM Security Bulletin 6198380 vom 2020-04-23", url: "https://www.ibm.com/support/pages/node/6198380", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:2603 vom 2020-06-17", url: "https://access.redhat.com/errata/RHSA-2020:2603", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:4807 vom 2020-11-04", url: "https://access.redhat.com/errata/RHSA-2020:4807", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2021:3225 vom 2021-08-20", url: "https://access.redhat.com/errata/RHSA-2021:3225", }, { category: "external", summary: "Hitachi Vulnerability Information HITACHI-SEC-2022-115 vom 2022-05-27", url: "https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2022-115/index.html", }, { category: "external", summary: "IBM Security Bulletin 6605881 vom 2022-07-21", url: "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-have-been-identified-in-ibm-db2-shipped-with-ibm-puredata-system-for-operational-analytics/", }, { category: "external", summary: "Dell Security Advisory DSA-2024-070 vom 2024-02-03", url: "https://www.dell.com/support/kbdoc/000221770/dsa-2024-=", }, { category: "external", summary: "Hitachi Vulnerability Information HITACHI-SEC-2023-144 vom 2023-10-03", url: "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-144/index.html", }, { category: "external", summary: "IBM Security Bulletin 7153639 vom 2024-05-17", url: "https://www.ibm.com/support/pages/node/7153639", }, ], source_lang: "en-US", title: "IBM DB2: Mehrere Schwachstellen", tracking: { current_release_date: "2024-05-16T22:00:00.000+00:00", generator: { date: "2024-08-15T17:32:05.856+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2022-0770", initial_release_date: "2020-04-23T22:00:00.000+00:00", revision_history: [ { date: "2020-04-23T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2020-06-17T22:00:00.000+00:00", number: "2", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-11-03T23:00:00.000+00:00", number: "3", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2021-08-19T22:00:00.000+00:00", number: "4", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2022-05-26T22:00:00.000+00:00", number: "5", summary: "Neue Updates von HITACHI aufgenommen", }, { date: "2022-07-20T22:00:00.000+00:00", number: "6", summary: "Neue Updates von IBM aufgenommen", }, { date: "2023-10-03T22:00:00.000+00:00", number: "7", summary: "Neue Updates von HITACHI aufgenommen", }, { date: "2024-02-04T23:00:00.000+00:00", number: "8", summary: "Neue Updates von Dell aufgenommen", }, { date: "2024-05-16T22:00:00.000+00:00", number: "9", summary: "Neue Updates von IBM aufgenommen", }, ], status: "final", version: "9", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "EMC Avamar", product: { name: "EMC Avamar", product_id: "T014381", product_identification_helper: { cpe: "cpe:/a:emc:avamar:-", }, }, }, ], category: "vendor", name: "EMC", }, { branches: [ { branches: [ { category: "product_name", name: "Hitachi Ops Center", product: { name: "Hitachi Ops Center", product_id: "T017562", product_identification_helper: { cpe: "cpe:/a:hitachi:ops_center:-", }, }, }, { category: "product_version_range", name: "<Analyzer 10.9.3-00", product: { name: "Hitachi Ops Center <Analyzer 10.9.3-00", product_id: "T030196", }, }, { category: "product_version_range", name: "<Viewpoint 10.9.3-00", product: { name: "Hitachi Ops Center <Viewpoint 10.9.3-00", product_id: "T030197", }, }, ], category: "product_name", name: "Ops Center", }, ], category: "vendor", name: "Hitachi", }, { branches: [ { branches: [ { category: "product_version", name: "11.1", product: { name: "IBM DB2 11.1", product_id: "342000", product_identification_helper: { cpe: "cpe:/a:ibm:db2:11.1", }, }, }, { category: "product_version", name: "11.5", product: { name: "IBM DB2 11.5", product_id: "695419", product_identification_helper: { cpe: "cpe:/a:ibm:db2:11.5", }, }, }, ], category: "product_name", name: "DB2", }, ], category: "vendor", name: "IBM", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2009-0001", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2009-0001", }, { cve: "CVE-2014-0114", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2014-0114", }, { cve: "CVE-2014-0193", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2014-0193", }, { cve: "CVE-2014-3488", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2014-3488", }, { cve: "CVE-2015-2156", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2015-2156", }, { cve: "CVE-2016-2402", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2016-2402", }, { cve: "CVE-2017-12972", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2017-12972", }, { cve: "CVE-2017-12973", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2017-12973", }, { cve: "CVE-2017-12974", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2017-12974", }, { cve: "CVE-2017-18640", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2017-18640", }, { cve: "CVE-2017-3734", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2017-3734", }, { cve: "CVE-2017-5637", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2017-5637", }, { cve: "CVE-2018-10237", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2018-10237", }, { cve: "CVE-2018-11771", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2018-11771", }, { cve: "CVE-2018-8009", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2018-8009", }, { cve: "CVE-2018-8012", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2018-8012", }, { cve: "CVE-2019-0201", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-0201", }, { cve: "CVE-2019-10086", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-10086", }, { cve: "CVE-2019-10172", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-10172", }, { cve: "CVE-2019-10202", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-10202", }, { cve: "CVE-2019-12402", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-12402", }, { cve: "CVE-2019-16869", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-16869", }, { cve: "CVE-2019-17195", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-17195", }, { cve: "CVE-2019-17571", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-17571", }, { cve: "CVE-2019-9512", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-9512", }, { cve: "CVE-2019-9514", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-9514", }, { cve: "CVE-2019-9515", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-9515", }, { cve: "CVE-2019-9518", notes: [ { category: "description", text: "In IBM DB2 existieren mehrere Schwachstellen in abhängigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern.", }, ], product_status: { known_affected: [ "T014381", "342000", "67646", "695419", "T030196", "T017562", "T030197", ], }, release_date: "2020-04-23T22:00:00.000+00:00", title: "CVE-2019-9518", }, ], }
var-201404-0288
Vulnerability from variot
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. An information management system for hospitals that can manage data such as financial management, clinical practice, and pharmacies. OpenClinic GA There are multiple vulnerabilities in. OpenClinic GA The following vulnerabilities exist in. * Avoid authentication via another path or channel (CWE-288) - CVE-2020-14485 Inappropriate restriction of excessive authentication attempts (CWE-307) - CVE-2020-14484 Improper authentication (CWE-287) - CVE-2020-14494 Lack of certification (CWE-862) - CVE-2020-14491 Execution with unnecessary privileges (CWE-250) - CVE-2020-14493 Unlimited upload of dangerous types of files (CWE-434) - CVE-2020-14488 Path traversal (CWE-22) - CVE-2020-14490 Inappropriate authorization process (CWE-285) - CVE-2020-14486 Cross-site scripting (CWE-79) - CVE-2020-14492 Use of unmaintained third-party products (CWE-1104) - CVE-2020-14495 , CVE-2016-1181 , CVE-2016-1182 Due to * Inadequate protection of credentials (CWE-522) - CVE-2020-14489 Hidden features (CWE-912) - CVE-2020-14487 * However, this vulnerability is Version 5.89.05b Does not affectThe expected impact depends on each vulnerability, but it may be affected as follows. * A remote attacker initiates a session by bypassing client-side access control or sending a specially crafted request. SQL Performs administrator functions such as query execution - CVE-2020-14485 A remote attacker bypasses the system's account lock feature and brute force attacks ( Brute force attack ) Is executed - CVE-2020-14484 In this system, brute force attack ( Brute force attack ) Insufficient protection mechanism allows an unauthenticated attacker to access the system with more than the maximum number of attempts. - CVE-2020-14494 The system SQL Since it does not check the execution permission of the query, a user with lower permission can access information that requires higher permission. - CVE-2020-14491 In this system, with relatively low authority SQL It is possible to write any file by executing, and as a result, any command is executed on the system. - CVE-2020-14493 The system does not properly validate uploaded files, so a low-privileged attacker uploads and executes arbitrary files on the system. - CVE-2020-14488 Executing a file that contains any local file specified by a parameter exposes sensitive information or executes an uploaded malicious file. - CVE-2020-14490 By avoiding the redirect process that is executed when authentication fails, an unauthenticated attacker can execute a command illegally. - CVE-2020-14486 Malicious code is executed on the user's browser because the user's input value is not properly validated. - CVE-2020-14492 Known vulnerabilities in end-of-support third-party software used by the system (CVE-2014-0114 , CVE-2016-1181 , CVE-2016-1182) Malicious code executed by a remote attacker due to * There is a flaw in the hashing process when saving the password, and the password is stolen by a dictionary attack. - CVE-2020-14489 A user account set by default exists in the system in an accessible state, and an attacker can use that account to execute arbitrary commands. - CVE-2020-14487. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Important: Fuse ESB Enterprise 7.1.0 security update Advisory ID: RHSA-2014:0498-01 Product: Fuse Enterprise Middleware Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0498.html Issue date: 2014-05-14 CVE Names: CVE-2014-0114 =====================================================================
- Summary:
Fuse ESB Enterprise 7.1.0 R1 P4 (Patch 4 on Rollup Patch 1), a security update that addresses one security issue, is now available from the Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
- Description:
Fuse ESB Enterprise is an integration platform based on Apache ServiceMix. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions. (CVE-2014-0114)
Refer to the readme.txt file included with the patch files for installation instructions.
All users of Fuse ESB Enterprise 7.1.0 as provided from the Red Hat Customer Portal are advised to apply this security update.
- Solution:
The References section of this erratum contains a download link (you must log in to download the update).
- Bugs fixed (https://bugzilla.redhat.com/):
1091938 - CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters
- References:
https://www.redhat.com/security/data/cve/CVE-2014-0114.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise&downloadType=securityPatches&version=7.1.0
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFTc7htXlSAg2UNWIIRAtEjAJ42Q72A3+z4BA2MCJI8i0qyTvdSrgCeJitA e2zBKDmixb/nax84cDhcYLo= =d5S2 -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05324755
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c05324755 Version: 1
HPSBGN03669 rev.1 - HPE SiteScope, Local Elevation of Privilege, Remote Denial of Service, Arbitrary Code Execution and Cross-Site Request Forgery
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2016-11-04 Last Updated: 2016-11-04
Potential Security Impact: Local: Elevation of Privilege; Remote: Arbitrary Code Execution, Cross-Site Request Forgery (CSRF), Denial of Service (DoS)
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY Potential vulnerabilities have been identified in HPE SiteScope. The vulnerabilities could be exploited to allow local elevation of privilege and exploited remotely to allow denial of service, arbitrary code execution, cross-site request forgery.
References:
- CVE-2014-0114 - Apache Struts, execution of arbitrary code
- CVE-2016-0763 - Apache Tomcat, denial of service (DoS)
- CVE-2014-0107 - Apache XML Xalan, bypass expected restrictions
- CVE-2015-3253 - Apache Groovy, execution of arbitrary code
- CVE-2015-5652 - Python, elevation of privilege
- CVE-2013-6429 - Spring Framework, cross-site request forgery
- CVE-2014-0050 - Apache Commons FileUpload, denial of service (DoS)
- PSRT110264
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- HP SiteScope Monitors Software Series 11.2xa11.32IP1
BACKGROUND
CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector
CVE-2013-6429
6.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-2014-0050
8.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2014-0107
8.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2014-0114
6.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2015-3253
7.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2015-5652
8.6 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVE-2016-0763
6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Information on CVSS is documented in
HPE Customer Notice HPSN-2008-002 here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499
RESOLUTION
HPE has provided a resolution via an update to HPE SiteScope. Details on the update and each vulnerability are in the KM articles below.
Note: The resolution for each vulnerability listed is to upgrade to SiteScope 11.32IP2 or an even more recent version of SiteScope if available. The SiteScope update can be can found in the personal zone in "my updates" in HPE Software Support Online: https://softwaresupport.hpe.com.
-
Apache Commons FileUpload: KM02550251 (CVE-2014-0050):
-
Apache Struts: KM02553983 (CVE-2014-0114):
-
Apache Tomcat: KM02553990 (CVE-2016-0763):
-
Apache XML Xalan: KM02553991 (CVE-2014-0107):
-
Apache Groovy: KM02553992 (CVE-2015-3253):
-
Python: KM02553997 (CVE-2015-5652):
-
Spring Framework: KM02553998 (CVE-2013-6429):
HISTORY Version:1 (rev.1) - 4 November 2016 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.
3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
References: CVE-2014-0114, SSRT101566
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Mitigation information for the Apache Struts vulnerability (CVE-2014-0114) is available at the following location:
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-a pplications/ba-p/6463188#.U2J7xeaSxro
Japanese information is available at the following location:
http://www.hp.com/jp/icewall_patchaccess
Note: The HP IceWall product is only available in Japan. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-201404-0288", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "struts", scope: "eq", trust: 1, vendor: "apache", version: "1.2.4", }, { model: "struts", scope: "eq", trust: 1, vendor: "apache", version: "1.2.8", }, { model: "struts", scope: "eq", trust: 1, vendor: "apache", version: "1.0", }, { model: "struts", scope: "eq", trust: 1, vendor: "apache", version: "1.2.7", }, { model: "struts", scope: "eq", trust: 1, vendor: "apache", version: "1.3.5", }, { model: "struts", scope: "eq", trust: 1, vendor: "apache", version: "1.0.2", }, { model: "struts", scope: "eq", trust: 1, vendor: "apache", version: "1.2.2", }, { model: "struts", scope: "eq", trust: 1, vendor: "apache", version: "1.2.6", }, { model: "struts", scope: "eq", trust: 1, vendor: "apache", version: "1.2.9", }, { model: "struts", scope: "eq", trust: 1, vendor: "apache", version: "1.3.8", }, { model: "struts", scope: "eq", trust: 1, vendor: "apache", version: "1.3.10", }, { model: "commons beanutils", scope: "lte", trust: 1, vendor: "apache", version: "1.9.1", }, { model: "struts", scope: "eq", trust: 1, vendor: "apache", version: "1.1", }, { model: "openclinic ga", scope: "eq", trust: 0.8, vendor: "openclinic ga", version: null, }, { model: "openclinic ga", scope: "eq", trust: 0.8, vendor: "openclinic ga", version: "version 5.09.02", }, { model: "openclinic ga", scope: "eq", trust: 0.8, vendor: "openclinic ga", version: "version 5.89.05b", }, { model: "struts", scope: "eq", trust: 0.8, vendor: "apache", version: "1.x to 1.3.10", }, { model: "クラウド インフラ マネージメント ソフトウェア", scope: null, trust: 0.8, vendor: "富士通", version: null, }, { model: "fujitsu integrated system ha database ready", scope: "eq", trust: 0.8, vendor: "富士通", version: null, }, { model: "interstage", scope: "eq", trust: 0.8, vendor: "富士通", version: "business analytics modeling server", }, { model: "interstage", scope: "eq", trust: 0.8, vendor: "富士通", version: "business process manager analytics", }, { model: "interstage", scope: "eq", trust: 0.8, vendor: "富士通", version: "mobile manager", }, { model: "interstage", scope: "eq", trust: 0.8, vendor: "富士通", version: "extreme transaction processing server", }, { model: "interstage", scope: "eq", trust: 0.8, vendor: "富士通", version: "navigator explorer server", }, { model: "interstage", scope: "eq", trust: 0.8, vendor: "富士通", version: "application development cycle manager", }, { model: "interstage", scope: "eq", trust: 0.8, vendor: "富士通", version: "application framework suite", }, { model: "interstage", scope: "eq", trust: 0.8, vendor: "富士通", version: "application server", }, { model: "interstage", scope: "eq", trust: 0.8, vendor: "富士通", version: "apworks", }, { model: "interstage", scope: "eq", trust: 0.8, vendor: "富士通", version: "business application server", }, { model: "interstage", scope: "eq", trust: 0.8, vendor: "富士通", version: "job workload server", }, { model: "interstage", scope: "eq", trust: 0.8, vendor: "富士通", version: "service integrator", }, { model: "interstage", scope: "eq", trust: 0.8, vendor: "富士通", version: "studio", }, { model: "interstage application development cycle manager", scope: "eq", trust: 0.8, vendor: "富士通", version: null, }, { model: "interstage application framework suite", scope: "eq", trust: 0.8, vendor: "富士通", version: null, }, { model: "interstage application server", scope: "eq", trust: 0.8, vendor: "富士通", version: null, }, { model: "interstage apworks", scope: "eq", trust: 0.8, vendor: "富士通", version: null, }, { model: "interstage business application server", scope: "eq", trust: 0.8, vendor: "富士通", version: null, }, { model: "interstage job workload server", scope: "eq", trust: 0.8, vendor: "富士通", version: null, }, { model: "interstage service integrator", scope: "eq", trust: 0.8, vendor: "富士通", version: null, }, { model: "interstage studio", scope: "eq", trust: 0.8, vendor: "富士通", version: null, }, { model: "serverview", scope: "eq", trust: 0.8, vendor: "富士通", version: "resource orchestrator", }, { model: "symfoware", scope: "eq", trust: 0.8, vendor: "富士通", version: "analytics server", }, { model: "symfoware", scope: "eq", trust: 0.8, vendor: "富士通", version: "server", }, { model: "systemwalker service catalog manager", scope: "eq", trust: 0.8, vendor: "富士通", version: null, }, { model: "systemwalker service quality coordinator", scope: "eq", trust: 0.8, vendor: "富士通", version: null, }, { model: "systemwalker software configuration manager", scope: "eq", trust: 0.8, vendor: "富士通", version: null, }, { model: "triole", scope: "eq", trust: 0.8, vendor: "富士通", version: "cloud middle set b set", }, { model: "hitachi device manager", scope: "eq", trust: 0.8, vendor: "日立", version: "software", }, { model: "hitachi global link manager", scope: "eq", trust: 0.8, vendor: "日立", version: "software", }, { model: "job management partner 1/performance management - web console", scope: "eq", trust: 0.8, vendor: "日立", version: null, }, { model: "jp1/performance management", scope: "eq", trust: 0.8, vendor: "日立", version: "- manager web option", }, { model: "jp1/performance management", scope: "eq", trust: 0.8, vendor: "日立", version: "- web console", }, { model: "hitachi replication manager", scope: "eq", trust: 0.8, vendor: "日立", version: "software", }, { model: "hitachi tiered storage manager", scope: "eq", trust: 0.8, vendor: "日立", version: "software", }, { model: "hitachi tuning manager", scope: "eq", trust: 0.8, vendor: "日立", version: "software", }, { model: "hp device manager", scope: "eq", trust: 0.8, vendor: "ヒューレット パッカード", version: null, }, { model: "hp xp7", scope: "eq", trust: 0.8, vendor: "ヒューレット パッカード", version: "global link manager software", }, { model: "hp xp p9000", scope: "eq", trust: 0.8, vendor: "ヒューレット パッカード", version: "replication manager", }, { model: "hp xp p9000", scope: "eq", trust: 0.8, vendor: "ヒューレット パッカード", version: "tiered storage manager", }, { model: "connections", scope: "eq", trust: 0.8, vendor: "ibm", version: "5.0", }, { model: "connections", scope: "eq", trust: 0.8, vendor: "ibm", version: "4.5", }, { model: "connections", scope: "eq", trust: 0.8, vendor: "ibm", version: "4.0", }, { model: "connections", scope: "lte", trust: 0.8, vendor: "ibm", version: "3.0.1.1", }, { model: "content collector", scope: "eq", trust: 0.8, vendor: "ibm", version: "2.2", }, { model: "lotus expeditor", scope: "eq", trust: 0.8, vendor: "ibm", version: "6.1.x", }, { model: "lotus expeditor", scope: "eq", trust: 0.8, vendor: "ibm", version: "6.2.x", }, { model: "lotus mashups", scope: "eq", trust: 0.8, vendor: "ibm", version: "2.0.0.2", }, { model: "lotus mashups", scope: "eq", trust: 0.8, vendor: "ibm", version: "3.0.0.1", }, { model: "lotus quickr", scope: "eq", trust: 0.8, vendor: "ibm", version: "8.5 for websphere portal", }, { model: "rational change", scope: "eq", trust: 0.8, vendor: "ibm", version: "5.2", }, { model: "rational change", scope: "eq", trust: 0.8, vendor: "ibm", version: "5.3", }, { model: "rational change", scope: "eq", trust: 0.8, vendor: "ibm", version: "5.3.1", }, { model: "websphere portal", scope: "eq", trust: 0.8, vendor: "ibm", version: "8.5", }, { model: "websphere portal", scope: "eq", trust: 0.8, vendor: "ibm", version: "8.0", }, { model: "websphere portal", scope: "eq", trust: 0.8, vendor: "ibm", version: "7", }, { model: "websphere portal", scope: "eq", trust: 0.8, vendor: "ibm", version: "6.1.x", }, { model: "esmpro/servermanager", scope: "lte", trust: 0.8, vendor: "日本電気", version: "ver5.75", }, { model: "infocage", scope: "eq", trust: 0.8, vendor: "日本電気", version: "pc security", }, { model: "infocage", scope: "eq", trust: 0.8, vendor: "日本電気", version: "security risk management v1.0.0 to v1.0.6", }, { model: "infocage", scope: "eq", trust: 0.8, vendor: "日本電気", version: "security risk management v1.0.0 to v2.1.3", }, { model: "webotx", scope: "eq", trust: 0.8, vendor: "日本電気", version: "enterprise edition v5.1 to v5.2", }, { model: "webotx", scope: "eq", trust: 0.8, vendor: "日本電気", version: "enterprise edition v6.1 to v6.5", }, { model: "webotx", scope: "eq", trust: 0.8, vendor: "日本電気", version: "rfid manager enterprise v7.1", }, { model: "webotx", scope: "eq", trust: 0.8, vendor: "日本電気", version: "rfid manager lite v2.0", }, { model: "webotx", scope: "eq", trust: 0.8, vendor: "日本電気", version: "rfid manager standard v2.0", }, { model: "webotx", scope: "eq", trust: 0.8, vendor: "日本電気", version: "standard edition v5.1 to v5.2", }, { model: "webotx", scope: "eq", trust: 0.8, vendor: "日本電気", version: "standard edition v6.1 to v6.5", }, { model: "webotx", scope: "eq", trust: 0.8, vendor: "日本電気", version: "standard-j edition v5.1 to v5.2", }, { model: "webotx", scope: "eq", trust: 0.8, vendor: "日本電気", version: "standard-j edition v6.1 to v6.5", }, { model: "webotx", scope: "eq", trust: 0.8, vendor: "日本電気", version: "web edition v5.1 to v5.2", }, { model: "webotx", scope: "eq", trust: 0.8, vendor: "日本電気", version: "web edition v6.1 to v6.5", }, { model: "webotx", scope: "eq", trust: 0.8, vendor: "日本電気", version: "application server v7.1", }, { model: "webotx", scope: "eq", trust: 0.8, vendor: "日本電気", version: "developer v8.2 to v8.4 (with developer's studio only )", }, { model: "webotx", scope: "eq", trust: 0.8, vendor: "日本電気", version: "developer v9.1 to v9.2 (with developer's studio only )", }, { model: "webotx", scope: "eq", trust: 0.8, vendor: "日本電気", version: "portal v8.3 to v8.4", }, { model: "webotx", scope: "eq", trust: 0.8, vendor: "日本電気", version: "portal v9.1", }, { model: "webotx application server", scope: "eq", trust: 0.8, vendor: "日本電気", version: "v7.1", }, { model: "webotx developer", scope: "eq", trust: 0.8, vendor: "日本電気", version: "v8.2 to v8.4 (with developer's studio only )", }, { model: "webotx developer", scope: "eq", trust: 0.8, vendor: "日本電気", version: "v9.1 to v9.2 (with developer's studio only )", }, { model: "webotx portal", scope: "eq", trust: 0.8, vendor: "日本電気", version: "v8.3 to v8.4", }, { model: "webotx portal", scope: "eq", trust: 0.8, vendor: "日本電気", version: "v9.1", }, { model: "terasoluna server framework for java", scope: "lte", trust: 0.8, vendor: "株式会社エヌ ティ ティ データ", version: "2.0.0.1 from 2.0.5.1", }, { model: "oracle communications applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of metasolv solution 6.2.1.0.0", }, { model: "oracle communications applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of metasolv solution asr: 49.0.0", }, { model: "oracle communications applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of metasolv solution lsr: 10.1.0", }, { model: "oracle communications applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of metasolv solution lsr: 9.4.0", }, { model: "oracle fusion middleware", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of oracle adaptive access manager 11.1.1.5", }, { model: "oracle fusion middleware", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of oracle adaptive access manager 11.1.1.7", }, { model: "oracle fusion middleware", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of oracle adaptive access manager 11.1.2.1", }, { model: "oracle fusion middleware", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of oracle adaptive access manager 11.1.2.2", }, { model: "oracle fusion middleware", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of oracle enterprise data quality 8.1.2", }, { model: "oracle fusion middleware", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of oracle enterprise data quality 9.0.11", }, { model: "oracle fusion middleware", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of oracle jdeveloper 10.1.3.5", }, { model: "oracle fusion middleware", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of oracle jdeveloper 11.1.1.7", }, { model: "oracle fusion middleware", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of oracle jdeveloper 11.1.2.4", }, { model: "oracle fusion middleware", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of oracle jdeveloper 12.1.2.0", }, { model: "oracle fusion middleware", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of oracle jdeveloper 12.1.3.0", }, { model: "oracle fusion middleware", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of oracle waveset 8.1.1", }, { model: "oracle fusion middleware", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of oracle weblogic portal 10.0.1.0", }, { model: "oracle fusion middleware", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of oracle weblogic portal 10.2.1.0", }, { model: "oracle fusion middleware", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of oracle weblogic portal 10.3.6.0", }, { model: "oracle fusion middleware", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of oracle real-time decision server 11.1.1.7 (rtd platform 3.0.x)", }, { model: "oracle identity manager", scope: "eq", trust: 0.8, vendor: "オラクル", version: "11.1.1.5", }, { model: "oracle identity manager", scope: "eq", trust: 0.8, vendor: "オラクル", version: "11.1.1.7", }, { model: "oracle identity manager", scope: "eq", trust: 0.8, vendor: "オラクル", version: "11.1.2.1", }, { model: "oracle identity manager", scope: "eq", trust: 0.8, vendor: "オラクル", version: "11.1.2.2", }, { model: "oracle primavera products suite", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of primavera contract management 13.1", }, { model: "oracle primavera products suite", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of primavera contract management 14.0", }, { model: "oracle primavera products suite", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of primavera p6 enterprise project portfolio management 7.0", }, { model: "oracle primavera products suite", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of primavera p6 enterprise project portfolio management 8.0", }, { model: "oracle primavera products suite", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of primavera p6 enterprise project portfolio management 8.1", }, { model: "oracle primavera products suite", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of primavera p6 enterprise project portfolio management 8.2", }, { model: "oracle primavera products suite", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of primavera p6 enterprise project portfolio management 8.3", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of allocation 10.0", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of allocation 11.0", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of allocation 12.0", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of allocation 13.0", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of allocation 13.1", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of allocation 13.2", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of back office 12.0", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of back office 12.0.9in", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of back office 13.0", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of back office 13.1", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of back office 13.2", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of back office 13.3", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of back office 13.4", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of back office 14.0", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of back office 8.0", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of central office 12.0", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of central office 12.0.9in", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of central office 13.0", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of central office 13.1", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of central office 13.2", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of central office 13.3", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of central office 13.4", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of central office 14.0", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of central office 8.0", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of clearance optimization engine 13.3", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of clearance optimization engine 13.4", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of clearance optimization engine 14.0", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of invoice matching 11.0", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of invoice matching 12.0", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of invoice matching 12.0 in", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of invoice matching 12.1", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of invoice matching 13.0", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of invoice matching 13.1", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of invoice matching 13.2", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of invoice matching 14.0", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of markdown optimization 12.0", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of markdown optimization 13.0", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of markdown optimization 13.1", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of markdown optimization 13.2", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of markdown optimization 13.4", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of returns management 13.1", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of returns management 13.2", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of returns management 13.3", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of returns management 13.4", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of returns management 14.0", }, { model: "oracle retail applications", scope: "eq", trust: 0.8, vendor: "オラクル", version: "of returns management 2.0", }, { model: "oracle weblogic server", scope: "eq", trust: 0.8, vendor: "オラクル", version: "10.0.2.0", }, { model: "oracle weblogic server", scope: "eq", trust: 0.8, vendor: "オラクル", version: "10.3.6.0", }, { model: "oracle weblogic server", scope: "eq", trust: 0.8, vendor: "オラクル", version: "12.1.1.0", }, { model: "oracle weblogic server", scope: "eq", trust: 0.8, vendor: "オラクル", version: "12.1.2.0", }, { model: "oracle weblogic server", scope: "eq", trust: 0.8, vendor: "オラクル", version: "12.1.3.0", }, ], sources: [ { db: "JVNDB", id: "JVNDB-2020-006468", }, { db: "JVNDB", id: "JVNDB-2014-002308", }, { db: "NVD", id: "CVE-2014-0114", }, ], }, configurations: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", children: { "@container": "@list", }, cpe_match: { "@container": "@list", }, data: { "@container": "@list", }, nodes: { "@container": "@list", }, }, data: [ { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:*", cpe_name: [], versionEndIncluding: "1.9.1", vulnerable: true, }, ], operator: "OR", }, { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, ], }, ], sources: [ { db: "NVD", id: "CVE-2014-0114", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "HP", sources: [ { db: "PACKETSTORM", id: "127868", }, { db: "PACKETSTORM", id: "128873", }, { db: "PACKETSTORM", id: "139721", }, { db: "PACKETSTORM", id: "126811", }, ], trust: 0.4, }, cve: "CVE-2014-0114", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { acInsufInfo: false, accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "NVD", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", exploitabilityScore: 10, impactScore: 6.4, integrityImpact: "PARTIAL", obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "HIGH", trust: 1, userInteractionRequired: false, vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, { acInsufInfo: null, accessComplexity: "Low", accessVector: "Network", authentication: "None", author: "NVD", availabilityImpact: "Partial", baseScore: 7.5, confidentialityImpact: "Partial", exploitabilityScore: null, id: "CVE-2014-0114", impactScore: null, integrityImpact: "Partial", obtainAllPrivilege: null, obtainOtherPrivilege: null, obtainUserPrivilege: null, severity: "High", trust: 0.9, userInteractionRequired: null, vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, ], cvssV3: [ { attackComplexity: "Low", attackVector: "Network", author: "IPA", availabilityImpact: "High", baseScore: 9.8, baseSeverity: "Critical", confidentialityImpact: "High", exploitabilityScore: null, id: "JVNDB-2020-006468", impactScore: null, integrityImpact: "High", privilegesRequired: "None", scope: "Unchanged", trust: 0.8, userInteraction: "None", vectorString: "3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, ], severity: [ { author: "NVD", id: "CVE-2014-0114", trust: 1.8, value: "HIGH", }, { author: "IPA", id: "JVNDB-2020-006468", trust: 0.8, value: "Critical", }, { author: "VULMON", id: "CVE-2014-0114", trust: 0.1, value: "HIGH", }, ], }, ], sources: [ { db: "VULMON", id: "CVE-2014-0114", }, { db: "JVNDB", id: "JVNDB-2020-006468", }, { db: "JVNDB", id: "JVNDB-2014-002308", }, { db: "NVD", id: "CVE-2014-0114", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. An information management system for hospitals that can manage data such as financial management, clinical practice, and pharmacies. OpenClinic GA There are multiple vulnerabilities in. OpenClinic GA The following vulnerabilities exist in. * Avoid authentication via another path or channel (CWE-288) - CVE-2020-14485* Inappropriate restriction of excessive authentication attempts (CWE-307) - CVE-2020-14484* Improper authentication (CWE-287) - CVE-2020-14494* Lack of certification (CWE-862) - CVE-2020-14491* Execution with unnecessary privileges (CWE-250) - CVE-2020-14493* Unlimited upload of dangerous types of files (CWE-434) - CVE-2020-14488* Path traversal (CWE-22) - CVE-2020-14490* Inappropriate authorization process (CWE-285) - CVE-2020-14486* Cross-site scripting (CWE-79) - CVE-2020-14492* Use of unmaintained third-party products (CWE-1104) - CVE-2020-14495 , CVE-2016-1181 , CVE-2016-1182 Due to * Inadequate protection of credentials (CWE-522) - CVE-2020-14489* Hidden features (CWE-912) - CVE-2020-14487 * However, this vulnerability is Version 5.89.05b Does not affectThe expected impact depends on each vulnerability, but it may be affected as follows. * A remote attacker initiates a session by bypassing client-side access control or sending a specially crafted request. SQL Performs administrator functions such as query execution - CVE-2020-14485* A remote attacker bypasses the system's account lock feature and brute force attacks ( Brute force attack ) Is executed - CVE-2020-14484* In this system, brute force attack ( Brute force attack ) Insufficient protection mechanism allows an unauthenticated attacker to access the system with more than the maximum number of attempts. - CVE-2020-14494* The system SQL Since it does not check the execution permission of the query, a user with lower permission can access information that requires higher permission. - CVE-2020-14491* In this system, with relatively low authority SQL It is possible to write any file by executing, and as a result, any command is executed on the system. - CVE-2020-14493* The system does not properly validate uploaded files, so a low-privileged attacker uploads and executes arbitrary files on the system. - CVE-2020-14488* Executing a file that contains any local file specified by a parameter exposes sensitive information or executes an uploaded malicious file. - CVE-2020-14490* By avoiding the redirect process that is executed when authentication fails, an unauthenticated attacker can execute a command illegally. - CVE-2020-14486* Malicious code is executed on the user's browser because the user's input value is not properly validated. - CVE-2020-14492* Known vulnerabilities in end-of-support third-party software used by the system (CVE-2014-0114 , CVE-2016-1181 , CVE-2016-1182) Malicious code executed by a remote attacker due to * There is a flaw in the hashing process when saving the password, and the password is stolen by a dictionary attack. - CVE-2020-14489* A user account set by default exists in the system in an accessible state, and an attacker can use that account to execute arbitrary commands. - CVE-2020-14487. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Important: Fuse ESB Enterprise 7.1.0 security update\nAdvisory ID: RHSA-2014:0498-01\nProduct: Fuse Enterprise Middleware\nAdvisory URL: https://rhn.redhat.com/errata/RHSA-2014-0498.html\nIssue date: 2014-05-14\nCVE Names: CVE-2014-0114 \n=====================================================================\n\n1. Summary:\n\nFuse ESB Enterprise 7.1.0 R1 P4 (Patch 4 on Rollup Patch 1), a security\nupdate that addresses one security issue, is now available from the Red Hat\nCustomer Portal. \n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section. \n\n2. Description:\n\nFuse ESB Enterprise is an integration platform based on Apache ServiceMix. \nA remote attacker could use this flaw to manipulate the ClassLoader used by\nan application server running Struts 1. This could lead to remote code\nexecution under certain conditions. (CVE-2014-0114)\n\nRefer to the readme.txt file included with the patch files for\ninstallation instructions. \n\nAll users of Fuse ESB Enterprise 7.1.0 as provided from the Red Hat\nCustomer Portal are advised to apply this security update. \n\n3. Solution:\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). \n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1091938 - CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters\n\n5. References:\n\nhttps://www.redhat.com/security/data/cve/CVE-2014-0114.html\nhttps://access.redhat.com/security/updates/classification/#important\nhttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise&downloadType=securityPatches&version=7.1.0\n\n6. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2014 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.4 (GNU/Linux)\n\niD8DBQFTc7htXlSAg2UNWIIRAtEjAJ42Q72A3+z4BA2MCJI8i0qyTvdSrgCeJitA\ne2zBKDmixb/nax84cDhcYLo=\n=d5S2\n-----END PGP SIGNATURE-----\n\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nNote: the current version of the following document is available here:\nhttps://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05324755\n\nSUPPORT COMMUNICATION - SECURITY BULLETIN\n\nDocument ID: c05324755\nVersion: 1\n\nHPSBGN03669 rev.1 - HPE SiteScope, Local Elevation of Privilege, Remote\nDenial of Service, Arbitrary Code Execution and Cross-Site Request Forgery\n\nNOTICE: The information in this Security Bulletin should be acted upon as\nsoon as possible. \n\nRelease Date: 2016-11-04\nLast Updated: 2016-11-04\n\nPotential Security Impact: Local: Elevation of Privilege; Remote: Arbitrary\nCode Execution, Cross-Site Request Forgery (CSRF), Denial of Service (DoS)\n\nSource: Hewlett Packard Enterprise, Product Security Response Team\n\nVULNERABILITY SUMMARY\nPotential vulnerabilities have been identified in HPE SiteScope. The\nvulnerabilities could be exploited to allow local elevation of privilege and\nexploited remotely to allow denial of service, arbitrary code execution,\ncross-site request forgery. \n\nReferences:\n\n - CVE-2014-0114 - Apache Struts, execution of arbitrary code\n - CVE-2016-0763 - Apache Tomcat, denial of service (DoS)\n - CVE-2014-0107 - Apache XML Xalan, bypass expected restrictions \n - CVE-2015-3253 - Apache Groovy, execution of arbitrary code \n - CVE-2015-5652 - Python, elevation of privilege\n - CVE-2013-6429 - Spring Framework, cross-site request forgery\n - CVE-2014-0050 - Apache Commons FileUpload, denial of service (DoS)\n - PSRT110264\n\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. \n\n - HP SiteScope Monitors Software Series 11.2xa11.32IP1\n\nBACKGROUND\n\n CVSS Base Metrics\n =================\n Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector\n\n CVE-2013-6429\n 6.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L\n 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)\n\n CVE-2014-0050\n 8.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L\n 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n CVE-2014-0107\n 8.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L\n 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n CVE-2014-0114\n 6.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L\n 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n CVE-2015-3253\n 7.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L\n 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n CVE-2015-5652\n 8.6 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\n 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)\n\n CVE-2016-0763\n 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L\n 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)\n\n Information on CVSS is documented in\n HPE Customer Notice HPSN-2008-002 here:\n\nhttps://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499\n\nRESOLUTION\n\nHPE has provided a resolution via an update to HPE SiteScope. Details on the\nupdate and each vulnerability are in the KM articles below. \n\n **Note:** The resolution for each vulnerability listed is to upgrade to\nSiteScope 11.32IP2 or an even more recent version of SiteScope if available. \nThe SiteScope update can be can found in the personal zone in \"my updates\" in\nHPE Software Support Online: <https://softwaresupport.hpe.com>. \n\n\n * Apache Commons FileUpload: KM02550251 (CVE-2014-0050): \n\n +\n<https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets\narch/document/KM02550251>\n\n\n * Apache Struts: KM02553983 (CVE-2014-0114):\n\n +\n<https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets\narch/document/KM02553983>\n\n\n * Apache Tomcat: KM02553990 (CVE-2016-0763):\n\n +\n<https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets\narch/document/KM02553990>\n\n * Apache XML Xalan: KM02553991 (CVE-2014-0107):\n\n +\n<https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets\narch/document/KM02553991>\n\n * Apache Groovy: KM02553992 (CVE-2015-3253):\n\n +\n<https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets\narch/document/KM02553992>\n\n * Python: KM02553997 (CVE-2015-5652):\n\n *\n<https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets\narch/document/KM02553997>\n\n * Spring Framework: KM02553998 (CVE-2013-6429):\n\n +\n<https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets\narch/document/KM02553998>\n\nHISTORY\nVersion:1 (rev.1) - 4 November 2016 Initial release\n\nThird Party Security Patches: Third party security patches that are to be\ninstalled on systems running Hewlett Packard Enterprise (HPE) software\nproducts should be applied in accordance with the customer's patch management\npolicy. \n\nSupport: For issues about implementing the recommendations of this Security\nBulletin, contact normal HPE Services support channel. For other issues about\nthe content of this Security Bulletin, send e-mail to security-alert@hpe.com. \n\nReport: To report a potential security vulnerability for any HPE supported\nproduct:\n Web form: https://www.hpe.com/info/report-security-vulnerability\n Email: security-alert@hpe.com\n\nSubscribe: To initiate a subscription to receive future HPE Security Bulletin\nalerts via Email: http://www.hpe.com/support/Subscriber_Choice\n\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\navailable here: http://www.hpe.com/support/Security_Bulletin_Archive\n\nSoftware Product Category: The Software Product Category is represented in\nthe title by the two characters following HPSB. \n\n3C = 3COM\n3P = 3rd Party Software\nGN = HPE General Software\nHF = HPE Hardware and Firmware\nMU = Multi-Platform Software\nNS = NonStop Servers\nOV = OpenVMS\nPV = ProCurve\nST = Storage Software\nUX = HP-UX\n\nCopyright 2016 Hewlett Packard Enterprise\n\nHewlett Packard Enterprise shall not be liable for technical or editorial\nerrors or omissions contained herein. The information provided is provided\n\"as is\" without warranty of any kind. To the extent permitted by law, neither\nHP or its affiliates, subcontractors or suppliers will be liable for\nincidental,special or consequential damages including downtime cost; lost\nprofits; damages relating to the procurement of substitute products or\nservices; or damages for loss of data, or software restoration. The\ninformation in this document is subject to change without notice. Hewlett\nPackard Enterprise and the names of Hewlett Packard Enterprise products\nreferenced herein are trademarks of Hewlett Packard Enterprise in the United\nStates and other countries. Other product and company names mentioned herein\nmay be trademarks of their respective owners. \n\nReferences: CVE-2014-0114, SSRT101566\n\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. \n\nMitigation information for the Apache Struts vulnerability (CVE-2014-0114) is\navailable at the following location:\n\nhttp://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-a\npplications/ba-p/6463188#.U2J7xeaSxro\n\nJapanese information is available at the following location:\n\nhttp://www.hp.com/jp/icewall_patchaccess\n\nNote: The HP IceWall product is only available in Japan. \nHewlett-Packard Company shall not be liable for technical or editorial errors\nor omissions contained herein", sources: [ { db: "NVD", id: "CVE-2014-0114", }, { db: "JVNDB", id: "JVNDB-2020-006468", }, { db: "JVNDB", id: "JVNDB-2014-002308", }, { db: "VULMON", id: "CVE-2014-0114", }, { db: "PACKETSTORM", id: "126619", }, { db: "PACKETSTORM", id: "127868", }, { db: "PACKETSTORM", id: "128873", }, { db: "PACKETSTORM", id: "139721", }, { db: "PACKETSTORM", id: "126811", }, ], trust: 2.88, }, exploit_availability: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { reference: "https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=41690", trust: 0.1, type: "exploit", }, ], sources: [ { db: "VULMON", id: "CVE-2014-0114", }, ], }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2014-0114", trust: 3.2, }, { db: "ICS CERT", id: "ICSMA-20-184-01", trust: 1.6, }, { db: "SECUNIA", id: "59430", trust: 1, }, { db: "SECUNIA", id: "60177", trust: 1, }, { db: "SECUNIA", id: "59246", trust: 1, }, { db: "SECUNIA", id: "59118", trust: 1, }, { db: "SECUNIA", id: "59464", trust: 1, }, { db: "SECUNIA", id: "59704", trust: 1, }, { db: "SECUNIA", id: "58710", trust: 1, }, { db: "SECUNIA", id: "59718", trust: 1, }, { db: "SECUNIA", id: "59228", trust: 1, }, { db: "SECUNIA", id: "57477", trust: 1, }, { db: "SECUNIA", id: "58947", trust: 1, }, { db: "SECUNIA", id: "60703", trust: 1, }, { db: "SECUNIA", id: "58851", trust: 1, }, { db: "SECUNIA", id: "59245", trust: 1, }, { db: "SECUNIA", id: "59014", trust: 1, }, { db: "SECUNIA", id: "59479", trust: 1, }, { db: "SECUNIA", id: "59480", trust: 1, }, { db: "OPENWALL", id: "OSS-SECURITY/2014/07/08/1", trust: 1, }, { db: "OPENWALL", id: "OSS-SECURITY/2014/06/15/10", trust: 1, }, { db: "BID", id: "67121", trust: 1, }, { db: "JVN", id: "JVNVU96290700", trust: 0.8, }, { db: "JVNDB", id: "JVNDB-2020-006468", trust: 0.8, }, { db: "JVNDB", id: "JVNDB-2014-000056", trust: 0.8, }, { db: "JVNDB", id: "JVNDB-2014-002308", trust: 0.8, }, { db: "VULMON", id: "CVE-2014-0114", trust: 0.1, }, { db: "PACKETSTORM", id: "126619", trust: 0.1, }, { db: "PACKETSTORM", id: "127868", trust: 0.1, }, { db: "PACKETSTORM", id: "128873", trust: 0.1, }, { db: "PACKETSTORM", id: "139721", trust: 0.1, }, { db: "PACKETSTORM", id: "126811", trust: 0.1, }, ], sources: [ { db: "VULMON", id: "CVE-2014-0114", }, { db: "JVNDB", id: "JVNDB-2020-006468", }, { db: "JVNDB", id: "JVNDB-2014-002308", }, { db: "PACKETSTORM", id: "126619", }, { db: "PACKETSTORM", id: "127868", }, { db: "PACKETSTORM", id: "128873", }, { db: "PACKETSTORM", id: "139721", }, { db: "PACKETSTORM", id: "126811", }, { db: "NVD", id: "CVE-2014-0114", }, ], }, id: "VAR-201404-0288", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "VARIoT devices database", id: null, }, ], trust: 0.20729166999999998, }, last_update_date: "2024-07-23T19:41:23.375000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "OpenClinic GA", trust: 0.8, url: "https://sourceforge.net/projects/open-clinic/", }, { title: "Interstage Navigator Explorer Server", trust: 0.8, url: "https://issues.apache.org/jira/browse/beanutils-463", }, { title: "Red Hat: Important: Red Hat A-MQ Broker 7.5 release and security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=rhsa-20192995 - security advisory", }, { title: "Debian CVElist Bug Report Logs: libstruts1.2-java: CVE-2014-0114", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=96f4091aa31a0ece729fdcb110066df5", }, { title: "Red Hat: CVE-2014-0114", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=cve-2014-0114", }, { title: "Red Hat: Important: Fuse 7.1 security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=rhsa-20182669 - security advisory", }, { title: "IBM: IBM Security Bulletin: Multiple Security Vulnerabilities have been fixed in IBM Security Privileged Identity Manager Appliance.", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=f5bb2b180c7c77e5a02747a1f31830d9", }, { title: "Oracle: Oracle Critical Patch Update Advisory - January 2019", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=f655264a6935505d167bbf45f409a57b", }, { title: "Oracle: Oracle Critical Patch Update Advisory - October 2018", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=81c63752a6f26433af2128b2e8c02385", }, { title: "Oracle: Oracle Critical Patch Update Advisory - January 2018", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=e2a7f287e9acc8c64ab3df71130bc64d", }, { title: "IBM: IBM Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=55ea315dfb69fce8383762ac64250315", }, { title: "Oracle: Oracle Critical Patch Update Advisory - April 2017", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=143b3fb255063c81571469eaa3cf0a87", }, { title: "Oracle: Oracle Critical Patch Update Advisory - October 2017", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=523d3f220a64ff01dd95e064bd37566a", }, { title: "IBM: Security Bulletin: Netcool Operations Insight v1.6.6 contains fixes for multiple security vulnerabilities.", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=68c6989b84f14aaac220c13b754c7702", }, { title: "Oracle: Oracle Critical Patch Update Advisory - January 2015", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=4a692d6d60aa31507cb101702b494c51", }, { title: "Oracle: Oracle Critical Patch Update Advisory - October 2016", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=05aabe19d38058b7814ef5514aab4c0c", }, { title: "Oracle: Oracle Critical Patch Update Advisory - July 2018", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=5f8c525f1408011628af1792207b2099", }, { title: "struts1-patch", trust: 0.1, url: "https://github.com/ricedu/struts1-patch ", }, { title: "", trust: 0.1, url: "https://github.com/weblegacy/struts1 ", }, { title: "struts1filter", trust: 0.1, url: "https://github.com/rgielen/struts1filter ", }, { title: "StrutsExample", trust: 0.1, url: "https://github.com/vikasvns2000/strutsexample ", }, { title: "struts-mini", trust: 0.1, url: "https://github.com/bingcai/struts-mini ", }, { title: "strutt-cve-2014-0114", trust: 0.1, url: "https://github.com/anob3it/strutt-cve-2014-0114 ", }, { title: "super-pom", trust: 0.1, url: "https://github.com/ian4hu/super-pom ", }, ], sources: [ { db: "VULMON", id: "CVE-2014-0114", }, { db: "JVNDB", id: "JVNDB-2020-006468", }, { db: "JVNDB", id: "JVNDB-2014-002308", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-20", trust: 1, }, { problemtype: "Use of unmaintained third-party components (CWE-1104) [IPA Evaluation ]", trust: 0.8, }, { problemtype: " Path traversal (CWE-22) [IPA Evaluation ]", trust: 0.8, }, { problemtype: " Execution with unnecessary privileges (CWE-250) [IPA Evaluation ]", trust: 0.8, }, { problemtype: " Inappropriate authorization (CWE-285) [IPA Evaluation ]", trust: 0.8, }, { problemtype: " Improper authentication (CWE-287) [IPA Evaluation ]", trust: 0.8, }, { problemtype: " Authentication bypass using alternate path or channel (CWE-288) [IPA Evaluation ]", trust: 0.8, }, { problemtype: " Inappropriate restriction of excessive authentication attempts (CWE-307) [IPA Evaluation ]", trust: 0.8, }, { problemtype: " Unlimited upload of dangerous types of files (CWE-434) [IPA Evaluation ]", trust: 0.8, }, { problemtype: " Inadequate protection of credentials (CWE-522) [IPA Evaluation ]", trust: 0.8, }, { problemtype: " Cross-site scripting (CWE-79) [IPA Evaluation ]", trust: 0.8, }, { problemtype: " Lack of certification (CWE-862) [IPA Evaluation ]", trust: 0.8, }, { problemtype: " Private features (CWE-912) [IPA Evaluation ]", trust: 0.8, }, { problemtype: "Incorrect input confirmation (CWE-20) [NVD Evaluation ]", trust: 0.8, }, ], sources: [ { db: "JVNDB", id: "JVNDB-2020-006468", }, { db: "JVNDB", id: "JVNDB-2014-002308", }, { db: "NVD", id: "CVE-2014-0114", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 1, url: "http://advisories.mageia.org/mgasa-2014-0219.html", }, { trust: 1, url: "http://apache-ignite-developers.2346864.n4.nabble.com/cve-2014-0114-apache-ignite-is-vulnerable-to-existing-cve-2014-0114-td31205.html", }, { trust: 1, url: "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/release-notes.txt", }, { trust: 1, url: "http://lists.fedoraproject.org/pipermail/package-announce/2014-august/136958.html", }, { trust: 1, url: "http://marc.info/?l=bugtraq&m=140119284401582&w=2", }, { trust: 1, url: "http://marc.info/?l=bugtraq&m=140801096002766&w=2", }, { trust: 1, url: "http://marc.info/?l=bugtraq&m=141451023707502&w=2", }, { trust: 1, url: "http://openwall.com/lists/oss-security/2014/06/15/10", }, { trust: 1, url: "http://openwall.com/lists/oss-security/2014/07/08/1", }, { trust: 1, url: "http://seclists.org/fulldisclosure/2014/dec/23", }, { trust: 1, url: "http://secunia.com/advisories/57477", }, { trust: 1, url: "http://secunia.com/advisories/58710", }, { trust: 1, url: "http://secunia.com/advisories/58851", }, { trust: 1, url: "http://secunia.com/advisories/58947", }, { trust: 1, url: "http://secunia.com/advisories/59014", }, { trust: 1, url: "http://secunia.com/advisories/59118", }, { trust: 1, url: "http://secunia.com/advisories/59228", }, { trust: 1, url: "http://secunia.com/advisories/59245", }, { trust: 1, url: "http://secunia.com/advisories/59246", }, { trust: 1, url: "http://secunia.com/advisories/59430", }, { trust: 1, url: "http://secunia.com/advisories/59464", }, { trust: 1, url: "http://secunia.com/advisories/59479", }, { trust: 1, url: "http://secunia.com/advisories/59480", }, { trust: 1, url: "http://secunia.com/advisories/59704", }, { trust: 1, url: "http://secunia.com/advisories/59718", }, { trust: 1, url: "http://secunia.com/advisories/60177", }, { trust: 1, url: "http://secunia.com/advisories/60703", }, { trust: 1, url: "http://www-01.ibm.com/support/docview.wss?uid=swg21674128", }, { trust: 1, url: "http://www-01.ibm.com/support/docview.wss?uid=swg21674812", }, { trust: 1, url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675266", }, { trust: 1, url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675387", }, { trust: 1, url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675689", }, { trust: 1, url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675898", }, { trust: 1, url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675972", }, { trust: 1, url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", }, { trust: 1, url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676110", }, { trust: 1, url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676303", }, { trust: 1, url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676375", }, { trust: 1, url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676931", }, { trust: 1, url: "http://www-01.ibm.com/support/docview.wss?uid=swg21677110", }, { trust: 1, url: "http://www-01.ibm.com/support/docview.wss?uid=swg27042296", }, { trust: 1, url: "http://www.debian.org/security/2014/dsa-2940", }, { trust: 1, url: "http://www.ibm.com/support/docview.wss?uid=swg21675496", }, { trust: 1, url: "http://www.mandriva.com/security/advisories?name=mdvsa-2014:095", }, { trust: 1, url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { trust: 1, url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { trust: 1, url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { trust: 1, url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { trust: 1, url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { trust: 1, url: "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", }, { trust: 1, url: "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", }, { trust: 1, url: "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", }, { trust: 1, url: "http://www.securityfocus.com/archive/1/534161/100/0/threaded", }, { trust: 1, url: "http://www.securityfocus.com/bid/67121", }, { trust: 1, url: "http://www.vmware.com/security/advisories/vmsa-2014-0008.html", }, { trust: 1, url: "http://www.vmware.com/security/advisories/vmsa-2014-0012.html", }, { trust: 1, url: "https://access.redhat.com/errata/rhsa-2018:2669", }, { trust: 1, url: "https://access.redhat.com/errata/rhsa-2019:2995", }, { trust: 1, url: "https://access.redhat.com/solutions/869353", }, { trust: 1, url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { trust: 1, url: "https://bugzilla.redhat.com/show_bug.cgi?id=1116665", }, { trust: 1, url: "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05324755", }, { trust: 1, url: "https://issues.apache.org/jira/browse/beanutils-463", }, { trust: 1, url: "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3cdev.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3cuser.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3cissues.activemq.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3ccommits.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3ccommits.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3cdevnull.infra.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3cissues.activemq.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3cdev.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3cdev.drill.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3csolr-user.lucene.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3cdev.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3cannounce.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3ccommits.druid.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3cdev.drill.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3ccommits.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3ccommits.pulsar.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3cgitbox.activemq.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3cdev.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3cnotifications.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3cissues.drill.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3cnotifications.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3cissues.commons.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3csolr-user.lucene.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3ccommits.dolphinscheduler.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3cissues.activemq.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3csolr-user.lucene.apache.org%3e", }, { trust: 1, url: "https://security.gentoo.org/glsa/201607-09", }, { trust: 1, url: "https://security.netapp.com/advisory/ntap-20140911-0001/", }, { trust: 1, url: "https://security.netapp.com/advisory/ntap-20180629-0006/", }, { trust: 1, url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { trust: 1, url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { trust: 1, url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { trust: 0.8, url: "http://jvn.jp/vu/jvnvu96290700/index.html", }, { trust: 0.8, url: "https://www.us-cert.gov/ics/recommended-practices", }, { trust: 0.8, url: "https://www.us-cert.gov/ics/advisories/icsma-20-184-01", }, { trust: 0.8, url: "https://www.fda.gov/medical-devices/digital-health/cybersecurity", }, { trust: 0.8, url: "http://jvndb.jvn.jp/ja/contents/2014/jvndb-2014-000056.html", }, { trust: 0.8, url: "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0114", }, { trust: 0.8, url: "https://us-cert.cisa.gov/ics/advisories/icsma-20-184-01", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2014-0114", }, { trust: 0.3, url: "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/", }, { trust: 0.3, url: "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secbullarchive/", }, { trust: 0.3, url: "http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins", }, { trust: 0.1, url: "https://rhn.redhat.com/errata/rhsa-2014-0498.html", }, { trust: 0.1, url: "https://www.redhat.com/mailman/listinfo/rhsa-announce", }, { trust: 0.1, url: "https://bugzilla.redhat.com/):", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=fuse.esb.enterprise&downloadtype=securitypatches&version=7.1.0", }, { trust: 0.1, url: "https://www.redhat.com/security/data/cve/cve-2014-0114.html", }, { trust: 0.1, url: "https://access.redhat.com/security/team/contact/", }, { trust: 0.1, url: "https://access.redhat.com/security/updates/classification/#important", }, { trust: 0.1, url: "http://support.openview.hp.com/selfsolve/document/lid/sis_00321", }, { trust: 0.1, url: "http://support.openview.hp.com/selfsolve/document/lid/sis_00320", }, { trust: 0.1, url: "http://support.openview.hp.com/selfsolve/document/lid/sis_00322", }, { trust: 0.1, url: "http://support.openview.hp.com/selfsolve/document/lid/sis_00324", }, { trust: 0.1, url: "http://support.openview.hp.com/selfsolve/document/lid/sis_00318", }, { trust: 0.1, url: "http://support.openview.hp.com/selfsolve/document/lid/sis_00319", }, { trust: 0.1, url: "http://support.openview.hp.com/selfsolve/document/lid/sis_00316", }, { trust: 0.1, url: "http://support.openview.hp.com/selfsolve/document/lid/sis_00315", }, { trust: 0.1, url: "http://support.openview.hp.com/selfsolve/document/lid/sis_00323", }, { trust: 0.1, url: "http://support.openview.hp.com/selfsolve/document/lid/sis_00317", }, { trust: 0.1, url: "https://softwaresupport.hpe.com>.", }, { trust: 0.1, url: "https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets", }, { trust: 0.1, url: "https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c05324755", }, { trust: 0.1, url: "http://www.hpe.com/support/security_bulletin_archive", }, { trust: 0.1, url: "https://www.hpe.com/info/report-security-vulnerability", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2016-0763", }, { trust: 0.1, url: "http://www.hpe.com/support/subscriber_choice", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2015-3253", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2014-0107", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2013-6429", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2014-0050", }, { trust: 0.1, url: "https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c01345499", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2015-5652", }, { trust: 0.1, url: "http://www.hp.com/jp/icewall_patchaccess", }, { trust: 0.1, url: "http://h30499.www3.hp.com/t5/hp-security-research-blog/protect-your-struts1-a", }, ], sources: [ { db: "JVNDB", id: "JVNDB-2020-006468", }, { db: "JVNDB", id: "JVNDB-2014-002308", }, { db: "PACKETSTORM", id: "126619", }, { db: "PACKETSTORM", id: "127868", }, { db: "PACKETSTORM", id: "128873", }, { db: "PACKETSTORM", id: "139721", }, { db: "PACKETSTORM", id: "126811", }, { db: "NVD", id: "CVE-2014-0114", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "VULMON", id: "CVE-2014-0114", }, { db: "JVNDB", id: "JVNDB-2020-006468", }, { db: "JVNDB", id: "JVNDB-2014-002308", }, { db: "PACKETSTORM", id: "126619", }, { db: "PACKETSTORM", id: "127868", }, { db: "PACKETSTORM", id: "128873", }, { db: "PACKETSTORM", id: "139721", }, { db: "PACKETSTORM", id: "126811", }, { db: "NVD", id: "CVE-2014-0114", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2014-04-30T00:00:00", db: "VULMON", id: "CVE-2014-0114", }, { date: "2020-07-09T00:00:00", db: "JVNDB", id: "JVNDB-2020-006468", }, { date: "2014-05-01T00:00:00", db: "JVNDB", id: "JVNDB-2014-002308", }, { date: "2014-05-14T19:25:00", db: "PACKETSTORM", id: "126619", }, { date: "2014-08-14T22:49:43", db: "PACKETSTORM", id: "127868", }, { date: "2014-10-28T18:09:30", db: "PACKETSTORM", id: "128873", }, { date: "2016-11-15T00:42:48", db: "PACKETSTORM", id: "139721", }, { date: "2014-05-27T16:17:39", db: "PACKETSTORM", id: "126811", }, { date: "2014-04-30T10:49:03.973000", db: "NVD", id: "CVE-2014-0114", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2023-02-13T00:00:00", db: "VULMON", id: "CVE-2014-0114", }, { date: "2020-09-01T00:00:00", db: "JVNDB", id: "JVNDB-2020-006468", }, { date: "2020-09-02T00:00:00", db: "JVNDB", id: "JVNDB-2014-002308", }, { date: "2023-02-13T00:32:29.660000", db: "NVD", id: "CVE-2014-0114", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "PACKETSTORM", id: "126619", }, ], trust: 0.1, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "OpenClinic GA Multiple vulnerabilities in", sources: [ { db: "JVNDB", id: "JVNDB-2020-006468", }, ], trust: 0.8, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "arbitrary", sources: [ { db: "PACKETSTORM", id: "127868", }, { db: "PACKETSTORM", id: "126811", }, ], trust: 0.2, }, }
ICSMA-20-184-01
Vulnerability from csaf_cisa
Published
2020-07-02 00:00
Modified
2021-06-15 00:00
Summary
OpenClinic GA (Update B)
Notes
CISA Disclaimer
This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation
Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, discover restricted information, view/manipulate restricted database information, and/or execute malicious code.
Critical infrastructure sectors
Healthcare and Public Health
Countries/areas deployed
Worldwide
Company headquarters location
Open-source
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
Recommended Practices
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
Recommended Practices
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
{ document: { acknowledgments: [ { names: [ "Brian D. Hysell", ], summary: "reporting these vulnerabilities to CISA", }, ], category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Disclosure is not limited", tlp: { label: "WHITE", url: "https://us-cert.cisa.gov/tlp/", }, }, lang: "en-US", notes: [ { category: "general", text: "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov", title: "CISA Disclaimer", }, { category: "legal_disclaimer", text: "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.", title: "Legal Notice", }, { category: "summary", text: "Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, discover restricted information, view/manipulate restricted database information, and/or execute malicious code.", title: "Risk evaluation", }, { category: "other", text: "Healthcare and Public Health", title: "Critical infrastructure sectors", }, { category: "other", text: "Worldwide", title: "Countries/areas deployed", }, { category: "other", text: "Open-source", title: "Company headquarters location", }, { category: "general", text: "CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:", title: "Recommended Practices", }, { category: "general", text: "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.", title: "Recommended Practices", }, { category: "general", text: "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.", title: "Recommended Practices", }, { category: "general", text: "CISA also recommends users take the following measures to protect themselves from social engineering attacks:", title: "Recommended Practices", }, ], publisher: { category: "coordinator", contact_details: "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870", name: "CISA", namespace: "https://www.cisa.gov/", }, references: [ { category: "self", summary: "ICS Advisory ICSMA-20-184-01 JSON", url: "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2020/icsma-20-184-01.json", }, { category: "self", summary: "ICS Advisory ICSMA-20-184-01 Web Version", url: "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-20-184-01", }, { category: "external", summary: "Recommended Practices", url: "https://us-cert.cisa.gov/ncas/tips/ST04-014", }, { category: "external", summary: "Recommended Practices", url: "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf", }, { category: "external", summary: "Recommended Practices", url: "https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B", }, ], title: "OpenClinic GA (Update B)", tracking: { current_release_date: "2021-06-15T00:00:00.000000Z", generator: { engine: { name: "CISA CSAF Generator", version: "1.0.0", }, }, id: "ICSMA-20-184-01", initial_release_date: "2020-07-02T00:00:00.000000Z", revision_history: [ { date: "2020-07-02T00:00:00.000000Z", legacy_version: "Initial", number: "1", summary: "ICSMA-20-184-01 OpenClinic GA", }, { date: "2020-08-27T00:00:00.000000Z", legacy_version: "A", number: "2", summary: "ICSMA-20-184-01 OpenClinic GA (Update A)", }, { date: "2021-06-15T00:00:00.000000Z", legacy_version: "B", number: "3", summary: "ICSMA-20-184-01 OpenClinic GA (Update B)", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "5.09.02", product: { name: "OpenClinic GA: Version 5.09.02", product_id: "CSAFPID-0001", }, }, ], category: "product_name", name: "OpenClinic GA", }, { branches: [ { category: "product_version", name: "5.89.05b", product: { name: "OpenClinic GA: Version 5.89.05b", product_id: "CSAFPID-0002", }, }, ], category: "product_name", name: "OpenClinic GA", }, ], category: "vendor", name: "OpenClinic GA", }, ], }, vulnerabilities: [ { cve: "CVE-2020-14485", cwe: { id: "CWE-288", name: "Authentication Bypass Using an Alternate Path or Channel", }, notes: [ { category: "summary", text: "An attacker may bypass client-side access controls or use a crafted request to initiate a session with limited functionality, which may allow execution of admin functions such as SQL queries.CVE-2020-14485 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14485", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 9.4, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, { cve: "CVE-2020-14484", cwe: { id: "CWE-307", name: "Improper Restriction of Excessive Authentication Attempts", }, notes: [ { category: "summary", text: "An attacker can bypass the system 's account lockout protection, which may allow brute force password attacks.CVE-2020-14484 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14484", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 7.3, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, { cve: "CVE-2020-14494", cwe: { id: "CWE-287", name: "Improper Authentication", }, notes: [ { category: "summary", text: "An authentication mechanism within the system does not contain sufficient complexity to protect against brute force attacks, which may allow unauthorized users to access the system after no more than a fixed maximum number of attempts.CVE-2020-14494 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14494", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 7.3, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, { cve: "CVE-2020-14491", cwe: { id: "CWE-862", name: "Missing Authorization", }, notes: [ { category: "summary", text: "The system does not properly check permissions before executing SQL queries, which may allow a low-privilege user to access privileged information.CVE-2020-14491 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14491", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 8.3, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, { cve: "CVE-2020-14488", cwe: { id: "CWE-250", name: "Execution with Unnecessary Privileges", }, notes: [ { category: "summary", text: "A low-privilege user may use SQL syntax to write arbitrary files to the server, which may allow the execution of arbitrary commands.CVE-2020-14493 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).CVE-2020-14488 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14488", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 8.8, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, { cve: "CVE-2020-14490", cwe: { id: "CWE-434", name: "Unrestricted Upload of File with Dangerous Type", }, notes: [ { category: "summary", text: "The system does not properly verify uploaded files, which may allow a low-privilege user to upload and execute arbitrary files on the system.CVE-2020-14490 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14490", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 8.8, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, { cve: "CVE-2020-14486", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, notes: [ { category: "summary", text: "The system includes arbitrary local files specified within its parameter and executes some files, which may allow disclosure of sensitive files or the execution of malicious uploaded files.CVE-2020-14486 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14486", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 6.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, { cve: "CVE-2020-14492", cwe: { id: "CWE-285", name: "Improper Authorization", }, notes: [ { category: "summary", text: "An attacker may bypass permission/authorization checks by ignoring the redirect of a permission failure, which may allow unauthorized execution of commands.CVE-2020-14492 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14492", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 5.4, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, { cve: "CVE-2014-0114", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, notes: [ { category: "summary", text: "The system does not properly neutralize user-controllable input, which may allow the execution of malicious code within the user 's browser.CVE-2014-0114, CVE-2016-1181, and CVE-2016-1182 are related to this vulnerability.A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114", }, { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1181", }, { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1182", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, { cve: "CVE-2016-1181", cwe: { id: "CWE-1104", name: "Use of Unmaintained Third Party Components", }, notes: [ { category: "summary", text: "The system contains third-party software versions that are end-of-life and contain known vulnerabilities, which may allow remote code execution.CVE-2020-14489 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14489", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 6.2, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, { cve: "CVE-2016-1182", cwe: { id: "CWE-522", name: "Insufficiently Protected Credentials", }, notes: [ { category: "summary", text: "The system stores passwords using inadequate hashing complexity, which may allow an attacker to recover passwords using known password cracking techniques.CVE-2020-14487 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).\n", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14487", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 9.4, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, ], }
icsma-20-184-01
Vulnerability from csaf_cisa
Published
2020-07-02 00:00
Modified
2021-06-15 00:00
Summary
OpenClinic GA (Update B)
Notes
CISA Disclaimer
This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation
Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, discover restricted information, view/manipulate restricted database information, and/or execute malicious code.
Critical infrastructure sectors
Healthcare and Public Health
Countries/areas deployed
Worldwide
Company headquarters location
Open-source
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
Recommended Practices
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
Recommended Practices
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
{ document: { acknowledgments: [ { names: [ "Brian D. Hysell", ], summary: "reporting these vulnerabilities to CISA", }, ], category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Disclosure is not limited", tlp: { label: "WHITE", url: "https://us-cert.cisa.gov/tlp/", }, }, lang: "en-US", notes: [ { category: "general", text: "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov", title: "CISA Disclaimer", }, { category: "legal_disclaimer", text: "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.", title: "Legal Notice", }, { category: "summary", text: "Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, discover restricted information, view/manipulate restricted database information, and/or execute malicious code.", title: "Risk evaluation", }, { category: "other", text: "Healthcare and Public Health", title: "Critical infrastructure sectors", }, { category: "other", text: "Worldwide", title: "Countries/areas deployed", }, { category: "other", text: "Open-source", title: "Company headquarters location", }, { category: "general", text: "CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:", title: "Recommended Practices", }, { category: "general", text: "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.", title: "Recommended Practices", }, { category: "general", text: "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.", title: "Recommended Practices", }, { category: "general", text: "CISA also recommends users take the following measures to protect themselves from social engineering attacks:", title: "Recommended Practices", }, ], publisher: { category: "coordinator", contact_details: "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870", name: "CISA", namespace: "https://www.cisa.gov/", }, references: [ { category: "self", summary: "ICS Advisory ICSMA-20-184-01 JSON", url: "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2020/icsma-20-184-01.json", }, { category: "self", summary: "ICS Advisory ICSMA-20-184-01 Web Version", url: "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-20-184-01", }, { category: "external", summary: "Recommended Practices", url: "https://us-cert.cisa.gov/ncas/tips/ST04-014", }, { category: "external", summary: "Recommended Practices", url: "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf", }, { category: "external", summary: "Recommended Practices", url: "https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B", }, ], title: "OpenClinic GA (Update B)", tracking: { current_release_date: "2021-06-15T00:00:00.000000Z", generator: { engine: { name: "CISA CSAF Generator", version: "1.0.0", }, }, id: "ICSMA-20-184-01", initial_release_date: "2020-07-02T00:00:00.000000Z", revision_history: [ { date: "2020-07-02T00:00:00.000000Z", legacy_version: "Initial", number: "1", summary: "ICSMA-20-184-01 OpenClinic GA", }, { date: "2020-08-27T00:00:00.000000Z", legacy_version: "A", number: "2", summary: "ICSMA-20-184-01 OpenClinic GA (Update A)", }, { date: "2021-06-15T00:00:00.000000Z", legacy_version: "B", number: "3", summary: "ICSMA-20-184-01 OpenClinic GA (Update B)", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "5.09.02", product: { name: "OpenClinic GA: Version 5.09.02", product_id: "CSAFPID-0001", }, }, ], category: "product_name", name: "OpenClinic GA", }, { branches: [ { category: "product_version", name: "5.89.05b", product: { name: "OpenClinic GA: Version 5.89.05b", product_id: "CSAFPID-0002", }, }, ], category: "product_name", name: "OpenClinic GA", }, ], category: "vendor", name: "OpenClinic GA", }, ], }, vulnerabilities: [ { cve: "CVE-2020-14485", cwe: { id: "CWE-288", name: "Authentication Bypass Using an Alternate Path or Channel", }, notes: [ { category: "summary", text: "An attacker may bypass client-side access controls or use a crafted request to initiate a session with limited functionality, which may allow execution of admin functions such as SQL queries.CVE-2020-14485 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14485", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 9.4, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, { cve: "CVE-2020-14484", cwe: { id: "CWE-307", name: "Improper Restriction of Excessive Authentication Attempts", }, notes: [ { category: "summary", text: "An attacker can bypass the system 's account lockout protection, which may allow brute force password attacks.CVE-2020-14484 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14484", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 7.3, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, { cve: "CVE-2020-14494", cwe: { id: "CWE-287", name: "Improper Authentication", }, notes: [ { category: "summary", text: "An authentication mechanism within the system does not contain sufficient complexity to protect against brute force attacks, which may allow unauthorized users to access the system after no more than a fixed maximum number of attempts.CVE-2020-14494 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14494", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 7.3, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, { cve: "CVE-2020-14491", cwe: { id: "CWE-862", name: "Missing Authorization", }, notes: [ { category: "summary", text: "The system does not properly check permissions before executing SQL queries, which may allow a low-privilege user to access privileged information.CVE-2020-14491 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14491", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 8.3, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, { cve: "CVE-2020-14488", cwe: { id: "CWE-250", name: "Execution with Unnecessary Privileges", }, notes: [ { category: "summary", text: "A low-privilege user may use SQL syntax to write arbitrary files to the server, which may allow the execution of arbitrary commands.CVE-2020-14493 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).CVE-2020-14488 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14488", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 8.8, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, { cve: "CVE-2020-14490", cwe: { id: "CWE-434", name: "Unrestricted Upload of File with Dangerous Type", }, notes: [ { category: "summary", text: "The system does not properly verify uploaded files, which may allow a low-privilege user to upload and execute arbitrary files on the system.CVE-2020-14490 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14490", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 8.8, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, { cve: "CVE-2020-14486", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, notes: [ { category: "summary", text: "The system includes arbitrary local files specified within its parameter and executes some files, which may allow disclosure of sensitive files or the execution of malicious uploaded files.CVE-2020-14486 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14486", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 6.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, { cve: "CVE-2020-14492", cwe: { id: "CWE-285", name: "Improper Authorization", }, notes: [ { category: "summary", text: "An attacker may bypass permission/authorization checks by ignoring the redirect of a permission failure, which may allow unauthorized execution of commands.CVE-2020-14492 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14492", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 5.4, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, { cve: "CVE-2014-0114", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, notes: [ { category: "summary", text: "The system does not properly neutralize user-controllable input, which may allow the execution of malicious code within the user 's browser.CVE-2014-0114, CVE-2016-1181, and CVE-2016-1182 are related to this vulnerability.A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114", }, { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1181", }, { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1182", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, { cve: "CVE-2016-1181", cwe: { id: "CWE-1104", name: "Use of Unmaintained Third Party Components", }, notes: [ { category: "summary", text: "The system contains third-party software versions that are end-of-life and contain known vulnerabilities, which may allow remote code execution.CVE-2020-14489 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14489", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 6.2, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, { cve: "CVE-2016-1182", cwe: { id: "CWE-522", name: "Insufficiently Protected Credentials", }, notes: [ { category: "summary", text: "The system stores passwords using inadequate hashing complexity, which may allow an attacker to recover passwords using known password cracking techniques.CVE-2020-14487 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).\n", title: "Vulnerability Summary", }, ], product_status: { known_affected: [ "CSAFPID-0001", "CSAFPID-0002", ], }, references: [ { category: "external", summary: "web.nvd.nist.gov", url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14487", }, { category: "external", summary: "www.first.org", url: "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", }, ], remediations: [ { category: "vendor_fix", details: "OpenClinic GA has released an updated version to resolve these vulnerabilities, and recommend users upgrade to Version 5.170.5 or later.", product_ids: [ "CSAFPID-0001", "CSAFPID-0002", ], url: "https://sourceforge.net/projects/open-clinic/files/", }, ], scores: [ { cvss_v3: { baseScore: 9.4, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", version: "3.0", }, products: [ "CSAFPID-0001", "CSAFPID-0002", ], }, ], }, ], }
suse-ru-2015:0611-1
Vulnerability from csaf_suse
Published
2015-02-25 20:05
Modified
2015-02-25 20:05
Summary
Recommended update for SUSE Manager Server 2.1
Notes
Title of the patch
Recommended update for SUSE Manager Server 2.1
Description of the patch
This collective update for SUSE Manager Server 2.1 provides the following
new features:
* Connect SUSE Manager to the SUSE Customer Center.
* Manage SLE12 systems.
* ISS: export/import information about cloned channels to support
Service Pack migration on ISS slaves. (FATE#317789)
* New API calls: system.scheduleSPMigration(),
system.scheduleDistUpgrade(). (FATE#314785, FATE#314340)
Additionally, several issues have been fixed:
auditlog-keeper:
* Fix value too long for type character varying(2048). (bnc#872351)
* Fix init.d script restart. (bsc#872029)
cobbler:
* Require syslinux-x86_64 on s390x. (bsc#884051)
* Fix fetching of profiles for auto-installation. (bsc#880936)
* Fix port guessing in koan. (bsc#855389)
* Add 'copy-default' option to grubby-compat. (bsc#855389)
* Handle elilo in SUSE. (bsc#855389)
* Fix wrong option 'text' in SUSE environment. (bsc#901058)
* Fix re-installation on SLE with static network configuration.
(bsc#883487)
* Add RHEL 7 as a valid operating system version.
oracle-config:
* No need to pre-require Apache as its user and group are available in
the base system.
osad:
* Enable and install osad during first installation. (bsc#901958)
pxe-default-image:
* Add bind-utils (dig) to packagelist. (bsc#889739)
* Wait for gateway to become available before register. (bsc#895001)
rhnlib:
* Ensure bytes strings are sent to pyOpenSSL. (bnc#880388)
rhnpush:
* Add default path structure to proxy lookaside that avoids collisions.
sm-ncc-sync-data:
* Add SUSE Cloud 4 channels. (bnc#883057)
* Add channels for SUSE Manager Server 2.1 s390x.
* Fix parent label of the LTSS channel for SLMS.
* Add ATI and nVidia channels for SLED11-SP3. (bsc#901108)
* Add support for RES7 in SUSE Manager. (bsc#897723, bsc#893608)
smdba:
* Fix 'system check breaks backup and other configuration'.
* Implement rotating PostgreSQL backup. (bsc#896244)
* Space reclamation caused ORA-00942: table or view does not exist.
(bsc#906850)
* Archival of PosgreSQL transaction log does not recover in case of no
space left on device. (bsc#915140)
spacecmd:
* Fix listupgrades. (bsc#892707)
* Make print_result a static method of SpacewalkShell. (bsc#889605)
* Call listAutoinstallableChannels() for listing distributions.
(bsc#887879)
* Fix spacecmd schedule listing. (bsc#902494)
* Fix call of setCustomOptions() during kickstart_importjson.
(bsc#879904)
* Fix configchannel export: do not create 'contents' key for
directories. (bsc#908849)
spacewalk-backend:
* Insert update tag at the correct place for SLE12. (bsc#907677)
* Trigger generation of metadata if the repo contains no packages.
(bsc#870159)
* Convert mtime to localtime to prevent invalid times because of DST.
(bsc#914437)
* Do not exit with error if a vendor channel has no URL associated.
(bsc#914260)
* Convert empty string to null for DMI values. (bsc#911272)
spacewalk-branding:
* CVE patches adapted for colour blind users. (bnc#872298)
* Underline in icons is removed. (bnc#880001)
* Fix link to macro documentation. (bsc#895961)
* Fix branding in error message. (bsc#902503)
spacewalk-certs-tools:
* Fix removal of existing host key entries. (bsc#886391)
* Remove duplicates from authorized_keys2 as well. (bsc#885889)
* Do not allow registering a SUSE Manager server against itself.
(bsc#841731)
spacewalk-client-tools:
* Allow unicode characters in proxy username and password.
* Send correct hostname. (bsc#887538)
spacewalk-config:
* Add recommended Apache settings from the Security Team.
spacewalk-java:
* Fix human dates now() staying unmodified. (bnc#880081)
* Allow for null evr and archs on event history detail. (bnc#880327)
* Disable form autocompletion in some places. (bnc#879998)
* Fix datepicker time at xx:xx PM pre-filled with xx:xx AM.
(bnc#881522)
* Fixed package upgrade via SSM when using the Oracle DB as backend.
(bnc#889721)
* This update fixes various cross-site scripting (XSS) issues in
spacewalk-java. (CVE-2014-3654, bnc#902182)
* Sync correct repositories. (bnc#904959)
* Fix pxt page link to point to the ported version of that page.
(bsc#903720)
* Correctly apply patches to multiple systems in SSM. (bsc#898242)
* Fix CVE audit when some packages of a patch are already installed.
(bsc#899266)
* Download CSV button does not export all columns ('Base Channel'
missing). (bsc#896238)
* Read and display only a limited number of logfile lines. (bsc#883009)
* Fix package upgrade via SSM. (bsc#889721)
* Fix logrotate for /var/log/rhn/rhn_web_api.log. (bsc#884081)
* Throw channel name exception if name is already used. (bnc#901675)
* Don't commit when XMLRPCExceptions are thrown. (bsc#908320)
* Remove 'Select All' button from system currency report. (bsc#653265)
* Fix documentation search. (bsc#875452)
* Add API listAutoinstallableChannels(). (bsc#887879)
* Avoid ArrayIndexOutOfBoundsException with invalid URLs. (bsc#892711)
* Avoid NumberFormatException in case of invalid URL. (bsc#892711)
* Lookup kickstart tree only when org is found. (bsc#892711)
* Fix NPE on GET /rhn/common/DownloadFile.do. (bsc#892711)
* Port of the advanced provisioning option page to bootstrap.
(bnc#862408)
* mgr-sync refresh sets wrong permissions on JSON files. (bnc#907337)
* Fix link to macro documentation. (bsc#895961)
* Forward to 'raw mode' page in case this is an uploaded profile.
(bsc#904841)
* Enlarge big text area to use more available screen space.
(bnc#867836)
* Fix links to monitoring documentation. (bsc#906887)
* Fix install type detection. (bsc#875231)
* Point 'Register Clients' link to 'Client Configuration Guide'.
(bsc#880026)
* Change order of installer type: prefer SUSE Linux. (bsc#860299)
* Fix ISE when clicking system currency. (bnc#905530)
* Set cobbler hostname variable when calling system.createSystemRecord.
(bnc#904699)
* Fix wrong install=http://nullnull line when calling
system.createSystemRecord. (bnc#904699)
* Explain snapshot/rollback behavior better. (bsc#808947)
* Fix patch syncing: prevent hibernate.NonUniqueObjectException
androllback. (bsc#903880)
* Remove 'Add Selected to SSM' from system overview page. (bsc#901776)
* Fix CVE audit in case of multi-version package installed and patch in
multi channels. (bsc#903723)
* Update channel family membership when channel is updated.
(bsc#901193)
* Add log warning if uploaded file size > 1MB. (bnc#901927)
* Fix channel package compare. (bsc#904690)
* Fix automatic configuration file deployment via snippet. (bsc#898426)
* Add client hostname or IP to log messages. (bsc#904732)
* Fixed copying text from kickstart snippets. (bsc#880087)
* Fix auditlog config yaml syntax. (bsc#913221)
* Show Proxy tab if system is a proxy even when assigned to cloned
channels. (bsc#913939)
* Fixed uncaught error which prevent correct error handling.
(bsc#858971)
* Fix NPE by setting max_members to 0 instead of NULL. (bsc#912035)
* Fix more cross-site-scripting (XSS) issues. (CVE-2014-7811,
bsc#902915)
* Fix basic authentication for HTTP proxies. (bsc#912057)
* Accept repos with same SCC ID and different URLs. (bsc#911808)
* Avoid mgr-sync-refresh failure because clear_log_id was not called.
(bsc#911166)
* Fix cross-site-scripting (XSS) issue in system-group (CVE-2014-7812,
bsc#912886)
* Fix 'Select All' buttons display on rhn:list and make it consistent
with new rl:list. (bsc#909724)
* Fix List tag missing submit parameter for 'Select All' and others.
(bnc#909724)
* Sort filelist in configfile.compare event history alphabetically.
(bsc#910243)
* Allow parenthesis in system group description. (bsc#903064)
* Provide new API documentation in PDF format. (bsc#896029)
* Update the example scripts section. (bsc#896029)
* Fixed wording issues on package lock page. (bsc#880022)
* Make text more clear for package profile sync. (bsc#884350)
spacewalk-reports:
* Added channel- and server-group-ids to activation-keys.
* Added spacewalk-report for systems with extra packages.
spacewalk-search:
* Fix package searching in shared channels.
spacewalk-setup:
* Setup /etc/sudoers in SUSE Manager upgrade scripts (bnc#881711)
* No activation if database population should be skipped. (bsc#900956)
* Do not enable spacewalk-service in runlevel 4. (bsc#879992)
spacewalk-utils:
* Fixed spacewalk-hostname-rename to work with PostgreSQL backend.
* Added limitation of spacewalk-clone-by-date for RHEL4 and earlier.
* Add openSUSE 13.2 repositories to spacewalk-common-channels.
* Improve clone-by-date dependency resolution.
* Add CentOS 7 and EPEL 7 channels.
* Fix error if blacklist / removelist is not in scbd configurationfile.
spacewalk-web:
* Fix links to monitoring documentation. (bsc#906887)
* Show Proxy tab if system is a proxy even when assigned to cloned
channels. (bsc#913939)
supportutils-plugin-susemanager:
* Write current service and repository configuration into
supportconfig.
susemanager-manuals_en, susemanager-jsp_en:
* Clarification about supported Web browsers. (bsc#889905)
* Update text and image files. (bnc#907527)
* Document NCC to SCC switch with SUSE Manager 2.1. (bnc#907106,
bnc#907643, bnc#907645, bnc#907646)
* SUSE Manager server update description. (bnc#902373)
* Activation keys and packages. (bnc#767279)
* Cobbler (bnc#880027), Link fix (bnc#881225), Wagon (bnc#884366)
* Install and ship the built PDFs. (bnc#907086)
* Update text and image files (bsc#910494).
* Firewall rules are incomplete - ssh-push and ssh-push-tunnel settings
missing. (bsc#904703)
* Document SP migration and ISS. (bsc#913215, partially).
* Fix 'beta packages' mentioned in documentation. (bsc#886421).
* User guide: Snapshots: clarify snaphot usage. (bsc#906851).
* Document maximal supported configuration file limit. (bsc#910482).
susemanager-schema:
* Add SLE 12 distribution targets to database.
* Fix evr_t schema upgrade. (bsc#881111)
* Allow evr_t to be compared with NULL in Oracle. (bsc#881111)
* Add support to ppc64le architecture.
* Fix migration script names to fix bare-metal registration.
(bsc#896109)
* Create regular index instead and have one migration per DB.
(bsc#905072)
* Drop unique index on package ids. (bsc#905072)
* Fix NPE by setting max_members to 0 instead of NULL. (bsc#912035)
* Fix old migration for future reference. (bsc#911180)
* Avoid NPE when migrating to SCC on Oracle migrated from 1.7.
(bsc#911180)
susemanager:
* Update the sudoers file after SUSE Manager upgrade. (bnc#881711)
* Fix oracle2postgres.sh (database configuration).
* Replace /etc/motd after setup. (bsc#883379)
* Make mgr-create-bootstrap-repo SCC and SLE 12 aware.
* Abort setup when invalid SSL country code given. (bnc#882468)
* Use noRepoSync parameter always.
* Fixed error message on exception in mgr-sync. (bnc#905263)
* Fixed add product to not trigger redundant addition of base channel.
(bnc#901928)
* Ask for the authentication beforehand. (bsc#908317)
susemanager-sync-data:
* Add channels for Public Cloud Module. (bsc#907586)
* Add new channel families SLE-WE and SLE-LP.
* Add ATI and nVidia channels for SLED11-SP3. (bsc#901108)
* Add channels for IBM-DLPAR for SLE12 ppc64le.
* Added support for RES7 in SUSE Manager. (bsc#897723, bsc#893608)
suseRegisterInfo:
* Re-add legacy suse_register_info to successfully perform the update.
(bsc#898428)
zypp-plugin-spacewalk:
* Check for retrieveOnly option in up2date configuration and set
download_only. (bsc#896254)
* Changed the spec file to force usage of the official python VM.
(bsc#889363)
yum:
* Preserve query parameters in URLs. (bsc#896844)
struts:
* CVE-2014-0114: The ActionForm object in Apache Struts 1.x through
1.3.10 allows remote attackers to 'manipulate' the ClassLoader and
execute arbitrary code via the class parameter, which is passed to
the getClass method.
apache2-mod_wsgi:
* CVE-2014-0242: Information exposure. (bnc#878553)
* CVE-2014-0240: Local privilege escalation. (bnc#878550)
* CVE-2014-8583: Failure to handle errors when attempting to drop group
privileges. (bnc#903961)
libyaml-0-2:
* Assert failure when processing wrapped strings (bnc#907809,
CVE-2014-9130)
tanukiwrapper:
* Allow more than 4G as -Xmx option. (bsc#914900)
The following new packages have been added to the product:
susemanager-sync-data, google-gson, python-enum34.
How to apply this update:
1. Log in as root user to the SUSE Manager server.
2. Stop the Spacewalk service: spacewalk-service stop
3. Apply the patch using either zypper patch or YaST Online Update.
4. Upgrade the database schema with spacewalk-schema-upgrade
5. Start the Spacewalk service: spacewalk-service start
Security Issues:
* CVE-2014-0114
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114>
* CVE-2014-0240
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0240>
* CVE-2014-0242
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0242>
* CVE-2014-3654
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3654>
* CVE-2014-7811
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7811>
* CVE-2014-7812
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7812>
* CVE-2014-8583
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8583>
* CVE-2014-9130
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130>
Patchnames
sleman21-suse-manager-201503
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Recommended update for SUSE Manager Server 2.1", title: "Title of the patch", }, { category: "description", text: "\nThis collective update for SUSE Manager Server 2.1 provides the following \nnew features:\n\n * Connect SUSE Manager to the SUSE Customer Center.\n * Manage SLE12 systems.\n * ISS: export/import information about cloned channels to support\n Service Pack migration on ISS slaves. (FATE#317789)\n * New API calls: system.scheduleSPMigration(),\n system.scheduleDistUpgrade(). (FATE#314785, FATE#314340)\n\nAdditionally, several issues have been fixed:\n\nauditlog-keeper:\n\n * Fix value too long for type character varying(2048). (bnc#872351)\n * Fix init.d script restart. (bsc#872029)\n\ncobbler:\n\n * Require syslinux-x86_64 on s390x. (bsc#884051)\n * Fix fetching of profiles for auto-installation. (bsc#880936)\n * Fix port guessing in koan. (bsc#855389)\n * Add 'copy-default' option to grubby-compat. (bsc#855389)\n * Handle elilo in SUSE. (bsc#855389)\n * Fix wrong option 'text' in SUSE environment. (bsc#901058)\n * Fix re-installation on SLE with static network configuration.\n (bsc#883487)\n * Add RHEL 7 as a valid operating system version.\n\noracle-config:\n\n * No need to pre-require Apache as its user and group are available in\n the base system.\n\nosad:\n\n * Enable and install osad during first installation. (bsc#901958)\n\npxe-default-image:\n\n * Add bind-utils (dig) to packagelist. (bsc#889739)\n * Wait for gateway to become available before register. (bsc#895001)\n\nrhnlib:\n\n * Ensure bytes strings are sent to pyOpenSSL. (bnc#880388)\n\nrhnpush:\n\n * Add default path structure to proxy lookaside that avoids collisions.\n\nsm-ncc-sync-data:\n\n * Add SUSE Cloud 4 channels. (bnc#883057)\n * Add channels for SUSE Manager Server 2.1 s390x.\n * Fix parent label of the LTSS channel for SLMS.\n * Add ATI and nVidia channels for SLED11-SP3. (bsc#901108)\n * Add support for RES7 in SUSE Manager. (bsc#897723, bsc#893608)\n\nsmdba:\n\n * Fix 'system check breaks backup and other configuration'.\n * Implement rotating PostgreSQL backup. (bsc#896244)\n * Space reclamation caused ORA-00942: table or view does not exist.\n (bsc#906850)\n * Archival of PosgreSQL transaction log does not recover in case of no\n space left on device. (bsc#915140)\n\nspacecmd:\n\n * Fix listupgrades. (bsc#892707)\n * Make print_result a static method of SpacewalkShell. (bsc#889605)\n * Call listAutoinstallableChannels() for listing distributions.\n (bsc#887879)\n * Fix spacecmd schedule listing. (bsc#902494)\n * Fix call of setCustomOptions() during kickstart_importjson.\n (bsc#879904)\n * Fix configchannel export: do not create 'contents' key for\n directories. (bsc#908849)\n\nspacewalk-backend:\n\n * Insert update tag at the correct place for SLE12. (bsc#907677)\n * Trigger generation of metadata if the repo contains no packages.\n (bsc#870159)\n * Convert mtime to localtime to prevent invalid times because of DST.\n (bsc#914437)\n * Do not exit with error if a vendor channel has no URL associated.\n (bsc#914260)\n * Convert empty string to null for DMI values. (bsc#911272)\n\nspacewalk-branding:\n\n * CVE patches adapted for colour blind users. (bnc#872298)\n * Underline in icons is removed. (bnc#880001)\n * Fix link to macro documentation. (bsc#895961)\n * Fix branding in error message. (bsc#902503)\n\nspacewalk-certs-tools:\n\n * Fix removal of existing host key entries. (bsc#886391)\n * Remove duplicates from authorized_keys2 as well. (bsc#885889)\n * Do not allow registering a SUSE Manager server against itself.\n (bsc#841731)\n\nspacewalk-client-tools:\n\n * Allow unicode characters in proxy username and password.\n * Send correct hostname. (bsc#887538)\n\nspacewalk-config:\n\n * Add recommended Apache settings from the Security Team.\n\nspacewalk-java:\n\n * Fix human dates now() staying unmodified. (bnc#880081)\n * Allow for null evr and archs on event history detail. (bnc#880327)\n * Disable form autocompletion in some places. (bnc#879998)\n * Fix datepicker time at xx:xx PM pre-filled with xx:xx AM.\n (bnc#881522)\n * Fixed package upgrade via SSM when using the Oracle DB as backend.\n (bnc#889721)\n * This update fixes various cross-site scripting (XSS) issues in\n spacewalk-java. (CVE-2014-3654, bnc#902182)\n * Sync correct repositories. (bnc#904959)\n * Fix pxt page link to point to the ported version of that page.\n (bsc#903720)\n * Correctly apply patches to multiple systems in SSM. (bsc#898242)\n * Fix CVE audit when some packages of a patch are already installed.\n (bsc#899266)\n * Download CSV button does not export all columns ('Base Channel'\n missing). (bsc#896238)\n * Read and display only a limited number of logfile lines. (bsc#883009)\n * Fix package upgrade via SSM. (bsc#889721)\n * Fix logrotate for /var/log/rhn/rhn_web_api.log. (bsc#884081)\n * Throw channel name exception if name is already used. (bnc#901675)\n * Don't commit when XMLRPCExceptions are thrown. (bsc#908320)\n * Remove 'Select All' button from system currency report. (bsc#653265)\n * Fix documentation search. (bsc#875452)\n * Add API listAutoinstallableChannels(). (bsc#887879)\n * Avoid ArrayIndexOutOfBoundsException with invalid URLs. (bsc#892711)\n * Avoid NumberFormatException in case of invalid URL. (bsc#892711)\n * Lookup kickstart tree only when org is found. (bsc#892711)\n * Fix NPE on GET /rhn/common/DownloadFile.do. (bsc#892711)\n * Port of the advanced provisioning option page to bootstrap.\n (bnc#862408)\n * mgr-sync refresh sets wrong permissions on JSON files. (bnc#907337)\n * Fix link to macro documentation. (bsc#895961)\n * Forward to 'raw mode' page in case this is an uploaded profile.\n (bsc#904841)\n * Enlarge big text area to use more available screen space.\n (bnc#867836)\n * Fix links to monitoring documentation. (bsc#906887)\n * Fix install type detection. (bsc#875231)\n * Point 'Register Clients' link to 'Client Configuration Guide'.\n (bsc#880026)\n * Change order of installer type: prefer SUSE Linux. (bsc#860299)\n * Fix ISE when clicking system currency. (bnc#905530)\n * Set cobbler hostname variable when calling system.createSystemRecord.\n (bnc#904699)\n * Fix wrong install=http://nullnull line when calling\n system.createSystemRecord. (bnc#904699)\n * Explain snapshot/rollback behavior better. (bsc#808947)\n * Fix patch syncing: prevent hibernate.NonUniqueObjectException\n androllback. (bsc#903880)\n * Remove 'Add Selected to SSM' from system overview page. (bsc#901776)\n * Fix CVE audit in case of multi-version package installed and patch in\n multi channels. (bsc#903723)\n * Update channel family membership when channel is updated.\n (bsc#901193)\n * Add log warning if uploaded file size > 1MB. (bnc#901927)\n * Fix channel package compare. (bsc#904690)\n * Fix automatic configuration file deployment via snippet. (bsc#898426)\n * Add client hostname or IP to log messages. (bsc#904732)\n * Fixed copying text from kickstart snippets. (bsc#880087)\n * Fix auditlog config yaml syntax. (bsc#913221)\n * Show Proxy tab if system is a proxy even when assigned to cloned\n channels. (bsc#913939)\n * Fixed uncaught error which prevent correct error handling.\n (bsc#858971)\n * Fix NPE by setting max_members to 0 instead of NULL. (bsc#912035)\n * Fix more cross-site-scripting (XSS) issues. (CVE-2014-7811,\n bsc#902915)\n * Fix basic authentication for HTTP proxies. (bsc#912057)\n * Accept repos with same SCC ID and different URLs. (bsc#911808)\n * Avoid mgr-sync-refresh failure because clear_log_id was not called.\n (bsc#911166)\n * Fix cross-site-scripting (XSS) issue in system-group (CVE-2014-7812,\n bsc#912886)\n * Fix 'Select All' buttons display on rhn:list and make it consistent\n with new rl:list. (bsc#909724)\n * Fix List tag missing submit parameter for 'Select All' and others.\n (bnc#909724)\n * Sort filelist in configfile.compare event history alphabetically.\n (bsc#910243)\n * Allow parenthesis in system group description. (bsc#903064)\n * Provide new API documentation in PDF format. (bsc#896029)\n * Update the example scripts section. (bsc#896029)\n * Fixed wording issues on package lock page. (bsc#880022)\n * Make text more clear for package profile sync. (bsc#884350)\n\nspacewalk-reports:\n\n * Added channel- and server-group-ids to activation-keys.\n * Added spacewalk-report for systems with extra packages.\n\nspacewalk-search:\n\n * Fix package searching in shared channels.\n\nspacewalk-setup:\n\n * Setup /etc/sudoers in SUSE Manager upgrade scripts (bnc#881711)\n * No activation if database population should be skipped. (bsc#900956)\n * Do not enable spacewalk-service in runlevel 4. (bsc#879992)\n\nspacewalk-utils:\n\n * Fixed spacewalk-hostname-rename to work with PostgreSQL backend.\n * Added limitation of spacewalk-clone-by-date for RHEL4 and earlier.\n * Add openSUSE 13.2 repositories to spacewalk-common-channels.\n * Improve clone-by-date dependency resolution.\n * Add CentOS 7 and EPEL 7 channels.\n * Fix error if blacklist / removelist is not in scbd configurationfile.\n\nspacewalk-web:\n\n * Fix links to monitoring documentation. (bsc#906887)\n * Show Proxy tab if system is a proxy even when assigned to cloned\n channels. (bsc#913939)\n\nsupportutils-plugin-susemanager:\n\n * Write current service and repository configuration into\n supportconfig.\n\nsusemanager-manuals_en, susemanager-jsp_en:\n\n * Clarification about supported Web browsers. (bsc#889905)\n * Update text and image files. (bnc#907527)\n * Document NCC to SCC switch with SUSE Manager 2.1. (bnc#907106,\n bnc#907643, bnc#907645, bnc#907646)\n * SUSE Manager server update description. (bnc#902373)\n * Activation keys and packages. (bnc#767279)\n * Cobbler (bnc#880027), Link fix (bnc#881225), Wagon (bnc#884366)\n * Install and ship the built PDFs. (bnc#907086)\n * Update text and image files (bsc#910494).\n * Firewall rules are incomplete - ssh-push and ssh-push-tunnel settings\n missing. (bsc#904703)\n * Document SP migration and ISS. (bsc#913215, partially).\n * Fix 'beta packages' mentioned in documentation. (bsc#886421).\n * User guide: Snapshots: clarify snaphot usage. (bsc#906851).\n * Document maximal supported configuration file limit. (bsc#910482).\n\nsusemanager-schema:\n\n * Add SLE 12 distribution targets to database.\n * Fix evr_t schema upgrade. (bsc#881111)\n * Allow evr_t to be compared with NULL in Oracle. (bsc#881111)\n * Add support to ppc64le architecture.\n * Fix migration script names to fix bare-metal registration.\n (bsc#896109)\n * Create regular index instead and have one migration per DB.\n (bsc#905072)\n * Drop unique index on package ids. (bsc#905072)\n * Fix NPE by setting max_members to 0 instead of NULL. (bsc#912035)\n * Fix old migration for future reference. (bsc#911180)\n * Avoid NPE when migrating to SCC on Oracle migrated from 1.7.\n (bsc#911180)\n\nsusemanager:\n\n * Update the sudoers file after SUSE Manager upgrade. (bnc#881711)\n * Fix oracle2postgres.sh (database configuration).\n * Replace /etc/motd after setup. (bsc#883379)\n * Make mgr-create-bootstrap-repo SCC and SLE 12 aware.\n * Abort setup when invalid SSL country code given. (bnc#882468)\n * Use noRepoSync parameter always.\n * Fixed error message on exception in mgr-sync. (bnc#905263)\n * Fixed add product to not trigger redundant addition of base channel.\n (bnc#901928)\n * Ask for the authentication beforehand. (bsc#908317)\n\nsusemanager-sync-data:\n\n * Add channels for Public Cloud Module. (bsc#907586)\n * Add new channel families SLE-WE and SLE-LP.\n * Add ATI and nVidia channels for SLED11-SP3. (bsc#901108)\n * Add channels for IBM-DLPAR for SLE12 ppc64le.\n * Added support for RES7 in SUSE Manager. (bsc#897723, bsc#893608)\n\nsuseRegisterInfo:\n\n * Re-add legacy suse_register_info to successfully perform the update.\n (bsc#898428)\n\nzypp-plugin-spacewalk:\n\n * Check for retrieveOnly option in up2date configuration and set\n download_only. (bsc#896254)\n * Changed the spec file to force usage of the official python VM.\n (bsc#889363)\n\nyum:\n\n * Preserve query parameters in URLs. (bsc#896844)\n\nstruts:\n\n * CVE-2014-0114: The ActionForm object in Apache Struts 1.x through\n 1.3.10 allows remote attackers to 'manipulate' the ClassLoader and\n execute arbitrary code via the class parameter, which is passed to\n the getClass method.\n\napache2-mod_wsgi:\n\n * CVE-2014-0242: Information exposure. (bnc#878553)\n * CVE-2014-0240: Local privilege escalation. (bnc#878550)\n * CVE-2014-8583: Failure to handle errors when attempting to drop group\n privileges. (bnc#903961)\n\nlibyaml-0-2:\n\n * Assert failure when processing wrapped strings (bnc#907809,\n CVE-2014-9130)\n\ntanukiwrapper:\n\n * Allow more than 4G as -Xmx option. (bsc#914900)\n\nThe following new packages have been added to the product: \nsusemanager-sync-data, google-gson, python-enum34.\n\nHow to apply this update:\n\n 1. Log in as root user to the SUSE Manager server.\n 2. Stop the Spacewalk service: spacewalk-service stop\n 3. Apply the patch using either zypper patch or YaST Online Update.\n 4. Upgrade the database schema with spacewalk-schema-upgrade\n 5. Start the Spacewalk service: spacewalk-service start\n\nSecurity Issues:\n\n * CVE-2014-0114\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114>\n * CVE-2014-0240\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0240>\n * CVE-2014-0242\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0242>\n * CVE-2014-3654\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3654>\n * CVE-2014-7811\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7811>\n * CVE-2014-7812\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7812>\n * CVE-2014-8583\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8583>\n * CVE-2014-9130\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130>\n\n", title: "Description of the patch", }, { category: "details", text: "sleman21-suse-manager-201503", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-ru-2015_0611-1.json", }, { category: "self", summary: "URL for SUSE-RU-2015:0611-1", url: "https://www.suse.com/support/update/announcement//suse-ru-20150611-1/", }, { category: "self", summary: "E-Mail link for SUSE-RU-2015:0611-1", url: "https://lists.suse.com/pipermail/sle-updates/2015-March/002829.html", }, { category: "self", summary: "SUSE Bug 653265", url: "https://bugzilla.suse.com/653265", }, { category: "self", summary: "SUSE Bug 767279", url: "https://bugzilla.suse.com/767279", }, { category: "self", summary: "SUSE Bug 808947", url: "https://bugzilla.suse.com/808947", }, { category: "self", summary: "SUSE Bug 841731", url: "https://bugzilla.suse.com/841731", }, { category: "self", summary: "SUSE Bug 855389", url: "https://bugzilla.suse.com/855389", }, { category: "self", summary: "SUSE Bug 858971", url: "https://bugzilla.suse.com/858971", }, { category: "self", summary: "SUSE Bug 860299", url: "https://bugzilla.suse.com/860299", }, { category: "self", summary: "SUSE Bug 862408", url: "https://bugzilla.suse.com/862408", }, { category: "self", summary: "SUSE Bug 867836", url: "https://bugzilla.suse.com/867836", }, { category: "self", summary: "SUSE Bug 870159", url: "https://bugzilla.suse.com/870159", }, { category: "self", summary: "SUSE Bug 872029", url: "https://bugzilla.suse.com/872029", }, { category: "self", summary: "SUSE Bug 872298", url: "https://bugzilla.suse.com/872298", }, { category: "self", summary: "SUSE Bug 872351", url: "https://bugzilla.suse.com/872351", }, { category: "self", summary: "SUSE Bug 875231", url: "https://bugzilla.suse.com/875231", }, { category: "self", summary: "SUSE Bug 875452", url: "https://bugzilla.suse.com/875452", }, { category: "self", summary: "SUSE Bug 878550", url: "https://bugzilla.suse.com/878550", }, { category: "self", summary: "SUSE Bug 878553", url: "https://bugzilla.suse.com/878553", }, { category: "self", summary: "SUSE Bug 879904", url: "https://bugzilla.suse.com/879904", }, { category: "self", summary: "SUSE Bug 879992", url: "https://bugzilla.suse.com/879992", }, { category: "self", summary: "SUSE Bug 879998", url: "https://bugzilla.suse.com/879998", }, { category: "self", summary: "SUSE Bug 880001", url: "https://bugzilla.suse.com/880001", }, { category: "self", summary: "SUSE Bug 880022", url: "https://bugzilla.suse.com/880022", }, { category: "self", summary: "SUSE Bug 880026", url: "https://bugzilla.suse.com/880026", }, { category: "self", summary: "SUSE Bug 880027", url: "https://bugzilla.suse.com/880027", }, { category: "self", summary: "SUSE Bug 880081", url: "https://bugzilla.suse.com/880081", }, { category: "self", summary: "SUSE Bug 880087", url: "https://bugzilla.suse.com/880087", }, { category: "self", summary: "SUSE Bug 880327", url: "https://bugzilla.suse.com/880327", }, { category: "self", summary: "SUSE Bug 880388", url: "https://bugzilla.suse.com/880388", }, { category: "self", summary: "SUSE Bug 880936", url: "https://bugzilla.suse.com/880936", }, { category: "self", summary: "SUSE Bug 881111", url: "https://bugzilla.suse.com/881111", }, { category: "self", summary: "SUSE Bug 881225", url: "https://bugzilla.suse.com/881225", }, { category: "self", summary: "SUSE Bug 881522", url: "https://bugzilla.suse.com/881522", }, { category: "self", summary: "SUSE Bug 881711", url: "https://bugzilla.suse.com/881711", }, { category: "self", summary: "SUSE Bug 882468", url: "https://bugzilla.suse.com/882468", }, { category: "self", summary: "SUSE Bug 883009", url: "https://bugzilla.suse.com/883009", }, { category: "self", summary: "SUSE Bug 883057", url: "https://bugzilla.suse.com/883057", }, { category: "self", summary: "SUSE Bug 883379", url: "https://bugzilla.suse.com/883379", }, { category: "self", summary: "SUSE Bug 883487", url: "https://bugzilla.suse.com/883487", }, { category: "self", summary: "SUSE Bug 884051", url: "https://bugzilla.suse.com/884051", }, { category: "self", summary: "SUSE Bug 884081", url: "https://bugzilla.suse.com/884081", }, { category: "self", summary: "SUSE Bug 884350", url: "https://bugzilla.suse.com/884350", }, { category: "self", summary: "SUSE Bug 884366", url: "https://bugzilla.suse.com/884366", }, { category: "self", summary: "SUSE Bug 885889", url: "https://bugzilla.suse.com/885889", }, { category: "self", summary: "SUSE Bug 886391", url: "https://bugzilla.suse.com/886391", }, { category: "self", summary: "SUSE Bug 886421", url: "https://bugzilla.suse.com/886421", }, { category: "self", summary: "SUSE Bug 887538", url: "https://bugzilla.suse.com/887538", }, { category: "self", summary: "SUSE Bug 887879", url: "https://bugzilla.suse.com/887879", }, { category: "self", summary: "SUSE Bug 889363", url: "https://bugzilla.suse.com/889363", }, { category: "self", summary: "SUSE Bug 889605", url: "https://bugzilla.suse.com/889605", }, { category: "self", summary: "SUSE Bug 889721", url: "https://bugzilla.suse.com/889721", }, { category: "self", summary: "SUSE Bug 889739", url: "https://bugzilla.suse.com/889739", }, { category: "self", summary: "SUSE Bug 889905", url: "https://bugzilla.suse.com/889905", }, { category: "self", summary: "SUSE Bug 892707", url: "https://bugzilla.suse.com/892707", }, { category: "self", summary: "SUSE Bug 892711", url: "https://bugzilla.suse.com/892711", }, { category: "self", summary: "SUSE Bug 893608", url: "https://bugzilla.suse.com/893608", }, { category: "self", summary: "SUSE Bug 895001", url: "https://bugzilla.suse.com/895001", }, { category: "self", summary: "SUSE Bug 895961", url: "https://bugzilla.suse.com/895961", }, { category: "self", summary: "SUSE Bug 896029", url: "https://bugzilla.suse.com/896029", }, { category: "self", summary: "SUSE Bug 896109", url: "https://bugzilla.suse.com/896109", }, { category: "self", summary: "SUSE Bug 896238", url: "https://bugzilla.suse.com/896238", }, { category: "self", summary: "SUSE Bug 896244", url: "https://bugzilla.suse.com/896244", }, { category: "self", summary: "SUSE Bug 896254", url: "https://bugzilla.suse.com/896254", }, { category: "self", summary: "SUSE Bug 896844", url: "https://bugzilla.suse.com/896844", }, { category: "self", summary: "SUSE Bug 897723", url: "https://bugzilla.suse.com/897723", }, { category: "self", summary: "SUSE Bug 898242", url: "https://bugzilla.suse.com/898242", }, { category: "self", summary: "SUSE Bug 898426", url: "https://bugzilla.suse.com/898426", }, { category: "self", summary: "SUSE Bug 898428", url: "https://bugzilla.suse.com/898428", }, { category: "self", summary: "SUSE Bug 899266", url: "https://bugzilla.suse.com/899266", }, { category: "self", summary: "SUSE Bug 900956", url: "https://bugzilla.suse.com/900956", }, { category: "self", summary: "SUSE Bug 901058", url: "https://bugzilla.suse.com/901058", }, { category: "self", summary: "SUSE Bug 901108", url: "https://bugzilla.suse.com/901108", }, { category: "self", summary: "SUSE Bug 901193", url: "https://bugzilla.suse.com/901193", }, { category: "self", summary: "SUSE Bug 901675", url: "https://bugzilla.suse.com/901675", }, { category: "self", summary: "SUSE Bug 901776", url: "https://bugzilla.suse.com/901776", }, { category: "self", summary: "SUSE Bug 901927", url: "https://bugzilla.suse.com/901927", }, { category: "self", summary: "SUSE Bug 901928", url: "https://bugzilla.suse.com/901928", }, { category: "self", summary: "SUSE Bug 901958", url: "https://bugzilla.suse.com/901958", }, { category: "self", summary: "SUSE Bug 902182", url: "https://bugzilla.suse.com/902182", }, { category: "self", summary: "SUSE Bug 902373", url: "https://bugzilla.suse.com/902373", }, { category: "self", summary: "SUSE Bug 902494", url: "https://bugzilla.suse.com/902494", }, { category: "self", summary: "SUSE Bug 902503", url: "https://bugzilla.suse.com/902503", }, { category: "self", summary: "SUSE Bug 902915", url: "https://bugzilla.suse.com/902915", }, { category: "self", summary: "SUSE Bug 903064", url: "https://bugzilla.suse.com/903064", }, { category: "self", summary: "SUSE Bug 903720", url: "https://bugzilla.suse.com/903720", }, { category: "self", summary: "SUSE Bug 903723", url: "https://bugzilla.suse.com/903723", }, { category: "self", summary: "SUSE Bug 903880", url: "https://bugzilla.suse.com/903880", }, { category: "self", summary: "SUSE Bug 903961", url: "https://bugzilla.suse.com/903961", }, { category: "self", summary: "SUSE Bug 904690", url: "https://bugzilla.suse.com/904690", }, { category: "self", summary: "SUSE Bug 904699", url: "https://bugzilla.suse.com/904699", }, { category: "self", summary: "SUSE Bug 904703", url: "https://bugzilla.suse.com/904703", }, { category: "self", summary: "SUSE Bug 904732", url: "https://bugzilla.suse.com/904732", }, { category: "self", summary: "SUSE Bug 904841", url: "https://bugzilla.suse.com/904841", }, { category: "self", summary: "SUSE Bug 904959", url: "https://bugzilla.suse.com/904959", }, { category: "self", summary: "SUSE Bug 905072", url: "https://bugzilla.suse.com/905072", }, { category: "self", summary: "SUSE Bug 905263", url: "https://bugzilla.suse.com/905263", }, { category: "self", summary: "SUSE Bug 905530", url: "https://bugzilla.suse.com/905530", }, { category: "self", summary: "SUSE Bug 906850", url: "https://bugzilla.suse.com/906850", }, { category: "self", summary: "SUSE Bug 906851", url: "https://bugzilla.suse.com/906851", }, { category: "self", summary: "SUSE Bug 906887", url: "https://bugzilla.suse.com/906887", }, { category: "self", summary: "SUSE Bug 907086", url: "https://bugzilla.suse.com/907086", }, { category: "self", summary: "SUSE Bug 907106", url: "https://bugzilla.suse.com/907106", }, { category: "self", summary: "SUSE Bug 907337", url: "https://bugzilla.suse.com/907337", }, { category: "self", summary: "SUSE Bug 907527", url: "https://bugzilla.suse.com/907527", }, { category: "self", summary: "SUSE Bug 907586", url: "https://bugzilla.suse.com/907586", }, { category: "self", summary: "SUSE Bug 907643", url: "https://bugzilla.suse.com/907643", }, { category: "self", summary: "SUSE Bug 907645", url: "https://bugzilla.suse.com/907645", }, { category: "self", summary: "SUSE Bug 907646", url: "https://bugzilla.suse.com/907646", }, { category: "self", summary: "SUSE Bug 907677", url: "https://bugzilla.suse.com/907677", }, { category: "self", summary: "SUSE Bug 907809", url: "https://bugzilla.suse.com/907809", }, { category: "self", summary: "SUSE Bug 908317", url: "https://bugzilla.suse.com/908317", }, { category: "self", summary: "SUSE Bug 908320", url: "https://bugzilla.suse.com/908320", }, { category: "self", summary: "SUSE Bug 908849", url: "https://bugzilla.suse.com/908849", }, { category: "self", summary: "SUSE Bug 909724", url: "https://bugzilla.suse.com/909724", }, { category: "self", summary: "SUSE Bug 910243", url: "https://bugzilla.suse.com/910243", }, { category: "self", summary: "SUSE Bug 910482", url: "https://bugzilla.suse.com/910482", }, { category: "self", summary: "SUSE Bug 910494", url: "https://bugzilla.suse.com/910494", }, { category: "self", summary: "SUSE Bug 911166", url: "https://bugzilla.suse.com/911166", }, { category: "self", summary: "SUSE Bug 911180", url: "https://bugzilla.suse.com/911180", }, { category: "self", summary: "SUSE Bug 911272", url: "https://bugzilla.suse.com/911272", }, { category: "self", summary: "SUSE Bug 911808", url: "https://bugzilla.suse.com/911808", }, { category: "self", summary: "SUSE Bug 912035", url: "https://bugzilla.suse.com/912035", }, { category: "self", summary: "SUSE Bug 912057", url: "https://bugzilla.suse.com/912057", }, { category: "self", summary: "SUSE Bug 912886", url: "https://bugzilla.suse.com/912886", }, { category: "self", summary: "SUSE Bug 913215", url: "https://bugzilla.suse.com/913215", }, { category: "self", summary: "SUSE Bug 913221", url: "https://bugzilla.suse.com/913221", }, { category: "self", summary: "SUSE Bug 913939", url: "https://bugzilla.suse.com/913939", }, { category: "self", summary: "SUSE Bug 914260", url: "https://bugzilla.suse.com/914260", }, { category: "self", summary: "SUSE Bug 914437", url: "https://bugzilla.suse.com/914437", }, { category: "self", summary: "SUSE Bug 914900", url: "https://bugzilla.suse.com/914900", }, { category: "self", summary: "SUSE Bug 915140", url: "https://bugzilla.suse.com/915140", }, { category: "self", summary: "SUSE Bug 919448", url: "https://bugzilla.suse.com/919448", }, { category: "self", summary: "SUSE CVE CVE-2014-0114 page", url: "https://www.suse.com/security/cve/CVE-2014-0114/", }, { category: "self", summary: "SUSE CVE CVE-2014-0240 page", url: "https://www.suse.com/security/cve/CVE-2014-0240/", }, { category: "self", summary: "SUSE CVE CVE-2014-0242 page", url: "https://www.suse.com/security/cve/CVE-2014-0242/", }, { category: "self", summary: "SUSE CVE CVE-2014-3654 page", url: "https://www.suse.com/security/cve/CVE-2014-3654/", }, { category: "self", summary: "SUSE CVE CVE-2014-7811 page", url: "https://www.suse.com/security/cve/CVE-2014-7811/", }, { category: "self", summary: "SUSE CVE CVE-2014-7812 page", url: "https://www.suse.com/security/cve/CVE-2014-7812/", }, { category: "self", summary: "SUSE CVE CVE-2014-8583 page", url: "https://www.suse.com/security/cve/CVE-2014-8583/", }, { category: "self", summary: "SUSE CVE CVE-2014-9130 page", url: "https://www.suse.com/security/cve/CVE-2014-9130/", }, ], title: "Recommended update for SUSE Manager Server 2.1", tracking: { current_release_date: "2015-02-25T20:05:05Z", generator: { date: "2015-02-25T20:05:05Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-RU-2015:0611-1", initial_release_date: "2015-02-25T20:05:05Z", revision_history: [ { date: "2015-02-25T20:05:05Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", product: { name: "auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", product_id: "auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", }, }, { category: "product_version", name: "auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", product: { name: "auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", product_id: "auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", }, }, { category: "product_version", name: "auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", product: { name: "auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", product_id: "auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", }, }, { category: "product_version", name: "auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", product: { name: "auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", product_id: "auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", }, }, { category: "product_version", name: "auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", product: { name: "auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", product_id: "auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", }, }, { category: "product_version", name: "google-gson-2.2.4-0.7.52.noarch", product: { name: "google-gson-2.2.4-0.7.52.noarch", product_id: "google-gson-2.2.4-0.7.52.noarch", }, }, { category: "product_version", name: "oracle-config-1.1-0.10.10.16.noarch", product: { name: "oracle-config-1.1-0.10.10.16.noarch", product_id: "oracle-config-1.1-0.10.10.16.noarch", }, }, { category: "product_version", name: "osa-dispatcher-5.11.33.7-0.7.16.noarch", product: { name: "osa-dispatcher-5.11.33.7-0.7.16.noarch", product_id: "osa-dispatcher-5.11.33.7-0.7.16.noarch", }, }, { category: "product_version", name: "perl-Class-Singleton-1.4-4.13.38.noarch", product: { name: "perl-Class-Singleton-1.4-4.13.38.noarch", product_id: "perl-Class-Singleton-1.4-4.13.38.noarch", }, }, { category: "product_version", name: "perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", product: { name: "perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", product_id: "perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", }, }, { category: "product_version", name: "perl-Satcon-1.20.2-0.7.6.noarch", product: { name: "perl-Satcon-1.20.2-0.7.6.noarch", product_id: "perl-Satcon-1.20.2-0.7.6.noarch", }, }, { category: "product_version", name: "perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", product: { name: "perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", product_id: "perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", }, }, { category: "product_version", name: "pxe-default-image-0.1-0.20.56.noarch", product: { name: "pxe-default-image-0.1-0.20.56.noarch", product_id: "pxe-default-image-0.1-0.20.56.noarch", }, }, { category: "product_version", name: "rhn-custom-info-5.4.22.6-0.7.13.noarch", product: { name: "rhn-custom-info-5.4.22.6-0.7.13.noarch", product_id: "rhn-custom-info-5.4.22.6-0.7.13.noarch", }, }, { category: "product_version", name: "rhnmd-5.3.18.4-0.7.15.noarch", product: { name: "rhnmd-5.3.18.4-0.7.15.noarch", product_id: "rhnmd-5.3.18.4-0.7.15.noarch", }, }, { category: "product_version", name: "rhnpush-5.5.71.7-0.7.16.noarch", product: { name: "rhnpush-5.5.71.7-0.7.16.noarch", product_id: "rhnpush-5.5.71.7-0.7.16.noarch", }, }, { category: "product_version", name: "sm-ncc-sync-data-2.1.9-0.7.6.noarch", product: { name: "sm-ncc-sync-data-2.1.9-0.7.6.noarch", product_id: "sm-ncc-sync-data-2.1.9-0.7.6.noarch", }, }, { category: "product_version", name: "spacewalk-admin-2.1.2.4-0.7.6.noarch", product: { name: "spacewalk-admin-2.1.2.4-0.7.6.noarch", product_id: "spacewalk-admin-2.1.2.4-0.7.6.noarch", }, }, { category: "product_version", name: "spacewalk-base-2.1.60.12-0.7.7.noarch", product: { name: "spacewalk-base-2.1.60.12-0.7.7.noarch", product_id: "spacewalk-base-2.1.60.12-0.7.7.noarch", }, }, { category: "product_version", name: "spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", product: { name: "spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", product_id: "spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", }, }, { category: "product_version", name: "spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", product: { name: "spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", product_id: "spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", }, }, { category: "product_version", name: "spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", product: { name: "spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", product_id: "spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", }, }, { category: "product_version", name: "spacewalk-check-2.1.16.6-0.7.9.noarch", product: { name: "spacewalk-check-2.1.16.6-0.7.9.noarch", product_id: "spacewalk-check-2.1.16.6-0.7.9.noarch", }, }, { category: "product_version", name: "spacewalk-client-setup-2.1.16.6-0.7.9.noarch", product: { name: "spacewalk-client-setup-2.1.16.6-0.7.9.noarch", product_id: "spacewalk-client-setup-2.1.16.6-0.7.9.noarch", }, }, { category: "product_version", name: "spacewalk-client-tools-2.1.16.6-0.7.9.noarch", product: { name: "spacewalk-client-tools-2.1.16.6-0.7.9.noarch", product_id: "spacewalk-client-tools-2.1.16.6-0.7.9.noarch", }, }, { category: "product_version", name: "spacewalk-config-2.1.5.4-0.7.15.noarch", product: { name: "spacewalk-config-2.1.5.4-0.7.15.noarch", product_id: "spacewalk-config-2.1.5.4-0.7.15.noarch", }, }, { category: "product_version", name: "spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", product: { name: "spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", product_id: "spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", }, }, { category: "product_version", name: "spacewalk-grail-2.1.60.12-0.7.7.noarch", product: { name: "spacewalk-grail-2.1.60.12-0.7.7.noarch", product_id: "spacewalk-grail-2.1.60.12-0.7.7.noarch", }, }, { category: "product_version", name: "spacewalk-html-2.1.60.12-0.7.7.noarch", product: { name: "spacewalk-html-2.1.60.12-0.7.7.noarch", product_id: "spacewalk-html-2.1.60.12-0.7.7.noarch", }, }, { category: "product_version", name: "spacewalk-java-2.1.165.14-0.7.16.noarch", product: { name: "spacewalk-java-2.1.165.14-0.7.16.noarch", product_id: "spacewalk-java-2.1.165.14-0.7.16.noarch", }, }, { category: "product_version", name: "spacewalk-java-config-2.1.165.14-0.7.16.noarch", product: { name: "spacewalk-java-config-2.1.165.14-0.7.16.noarch", product_id: "spacewalk-java-config-2.1.165.14-0.7.16.noarch", }, }, { category: "product_version", name: "spacewalk-java-lib-2.1.165.14-0.7.16.noarch", product: { name: "spacewalk-java-lib-2.1.165.14-0.7.16.noarch", product_id: "spacewalk-java-lib-2.1.165.14-0.7.16.noarch", }, }, { category: "product_version", name: "spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", product: { name: "spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", product_id: "spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", }, }, { category: "product_version", name: "spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", product: { name: "spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", product_id: "spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", }, }, { category: "product_version", name: "spacewalk-pxt-2.1.60.12-0.7.7.noarch", product: { name: "spacewalk-pxt-2.1.60.12-0.7.7.noarch", product_id: "spacewalk-pxt-2.1.60.12-0.7.7.noarch", }, }, { category: "product_version", name: "spacewalk-reports-2.1.14.8-0.7.10.noarch", product: { name: "spacewalk-reports-2.1.14.8-0.7.10.noarch", product_id: "spacewalk-reports-2.1.14.8-0.7.10.noarch", }, }, { category: "product_version", name: "spacewalk-search-2.1.14.6-0.7.18.noarch", product: { name: "spacewalk-search-2.1.14.6-0.7.18.noarch", product_id: "spacewalk-search-2.1.14.6-0.7.18.noarch", }, }, { category: "product_version", name: "spacewalk-setup-2.1.14.9-0.7.6.noarch", product: { name: "spacewalk-setup-2.1.14.9-0.7.6.noarch", product_id: "spacewalk-setup-2.1.14.9-0.7.6.noarch", }, }, { category: "product_version", name: "spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", product: { name: "spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", product_id: "spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", }, }, { category: "product_version", name: "spacewalk-sniglets-2.1.60.12-0.7.7.noarch", product: { name: "spacewalk-sniglets-2.1.60.12-0.7.7.noarch", product_id: "spacewalk-sniglets-2.1.60.12-0.7.7.noarch", }, }, { category: "product_version", name: "spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", product: { name: "spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", product_id: "spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", }, }, { category: "product_version", name: "spacewalk-utils-2.1.27.12-0.7.25.noarch", product: { name: "spacewalk-utils-2.1.27.12-0.7.25.noarch", product_id: "spacewalk-utils-2.1.27.12-0.7.25.noarch", }, }, { category: "product_version", name: "struts-1.2.9-162.33.22.noarch", product: { name: "struts-1.2.9-162.33.22.noarch", product_id: "struts-1.2.9-162.33.22.noarch", }, }, { category: "product_version", name: "supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", product: { name: "supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", product_id: "supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", }, }, { category: "product_version", name: "supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", product: { name: "supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", product_id: "supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", }, }, { category: "product_version", name: "susemanager-client-config_en-pdf-2.1-0.15.24.noarch", product: { name: "susemanager-client-config_en-pdf-2.1-0.15.24.noarch", product_id: "susemanager-client-config_en-pdf-2.1-0.15.24.noarch", }, }, { category: "product_version", name: "susemanager-install_en-pdf-2.1-0.15.24.noarch", product: { name: "susemanager-install_en-pdf-2.1-0.15.24.noarch", product_id: "susemanager-install_en-pdf-2.1-0.15.24.noarch", }, }, { category: "product_version", name: "susemanager-jsp_en-2.1-0.15.23.noarch", product: { name: "susemanager-jsp_en-2.1-0.15.23.noarch", product_id: "susemanager-jsp_en-2.1-0.15.23.noarch", }, }, { category: "product_version", name: "susemanager-manuals_en-2.1-0.15.24.noarch", product: { name: "susemanager-manuals_en-2.1-0.15.24.noarch", product_id: "susemanager-manuals_en-2.1-0.15.24.noarch", }, }, { category: "product_version", name: "susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", product: { name: "susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", product_id: "susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", }, }, { category: "product_version", name: "susemanager-reference_en-pdf-2.1-0.15.24.noarch", product: { name: "susemanager-reference_en-pdf-2.1-0.15.24.noarch", product_id: "susemanager-reference_en-pdf-2.1-0.15.24.noarch", }, }, { category: "product_version", name: "susemanager-schema-2.1.50.11-0.7.8.noarch", product: { name: "susemanager-schema-2.1.50.11-0.7.8.noarch", product_id: "susemanager-schema-2.1.50.11-0.7.8.noarch", }, }, { category: "product_version", name: "susemanager-sync-data-2.1.5-0.7.6.noarch", product: { name: "susemanager-sync-data-2.1.5-0.7.6.noarch", product_id: "susemanager-sync-data-2.1.5-0.7.6.noarch", }, }, { category: "product_version", name: "susemanager-user_en-pdf-2.1-0.15.24.noarch", product: { name: "susemanager-user_en-pdf-2.1-0.15.24.noarch", product_id: "susemanager-user_en-pdf-2.1-0.15.24.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "apache2-mod_wsgi-3.3-5.7.17.s390x", product: { name: "apache2-mod_wsgi-3.3-5.7.17.s390x", product_id: "apache2-mod_wsgi-3.3-5.7.17.s390x", }, }, { category: "product_version", name: "cobbler-2.2.2-0.54.9.s390x", product: { name: "cobbler-2.2.2-0.54.9.s390x", product_id: "cobbler-2.2.2-0.54.9.s390x", }, }, { category: "product_version", name: "libyaml-0-2-0.1.3-0.10.16.11.s390x", product: { name: "libyaml-0-2-0.1.3-0.10.16.11.s390x", product_id: "libyaml-0-2-0.1.3-0.10.16.11.s390x", }, }, { category: "product_version", name: "postgresql91-pltcl-9.1.15-0.3.1.s390x", product: { name: "postgresql91-pltcl-9.1.15-0.3.1.s390x", product_id: "postgresql91-pltcl-9.1.15-0.3.1.s390x", }, }, { category: "product_version", name: "python-enum34-1.0-0.7.33.s390x", product: { name: "python-enum34-1.0-0.7.33.s390x", product_id: "python-enum34-1.0-0.7.33.s390x", }, }, { category: "product_version", name: "python-gzipstream-1.10.2.2-0.7.6.s390x", product: { name: "python-gzipstream-1.10.2.2-0.7.6.s390x", product_id: "python-gzipstream-1.10.2.2-0.7.6.s390x", }, }, { category: "product_version", name: "rhnlib-2.5.69.6-0.7.6.s390x", product: { name: "rhnlib-2.5.69.6-0.7.6.s390x", product_id: "rhnlib-2.5.69.6-0.7.6.s390x", }, }, { category: "product_version", name: "smdba-1.5.1-0.7.6.s390x", product: { name: "smdba-1.5.1-0.7.6.s390x", product_id: "smdba-1.5.1-0.7.6.s390x", }, }, { category: "product_version", name: "spacecmd-2.1.25.7-0.7.9.s390x", product: { name: "spacecmd-2.1.25.7-0.7.9.s390x", product_id: "spacecmd-2.1.25.7-0.7.9.s390x", }, }, { category: "product_version", name: "spacewalk-backend-2.1.55.15-0.7.11.s390x", product: { name: "spacewalk-backend-2.1.55.15-0.7.11.s390x", product_id: "spacewalk-backend-2.1.55.15-0.7.11.s390x", }, }, { category: "product_version", name: "spacewalk-backend-app-2.1.55.15-0.7.11.s390x", product: { name: "spacewalk-backend-app-2.1.55.15-0.7.11.s390x", product_id: "spacewalk-backend-app-2.1.55.15-0.7.11.s390x", }, }, { category: "product_version", name: "spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", product: { name: "spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", product_id: "spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", }, }, { category: "product_version", name: "spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", product: { name: "spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", product_id: "spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", }, }, { category: "product_version", name: "spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", product: { name: "spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", product_id: "spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", }, }, { category: "product_version", name: "spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", product: { name: "spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", product_id: "spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", }, }, { category: "product_version", name: "spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", product: { name: "spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", product_id: "spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", }, }, { category: "product_version", name: "spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", product: { name: "spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", product_id: "spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", }, }, { category: "product_version", name: "spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", product: { name: "spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", product_id: "spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", }, }, { category: "product_version", name: "spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", product: { name: "spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", product_id: "spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", }, }, { category: "product_version", name: "spacewalk-backend-server-2.1.55.15-0.7.11.s390x", product: { name: "spacewalk-backend-server-2.1.55.15-0.7.11.s390x", product_id: "spacewalk-backend-server-2.1.55.15-0.7.11.s390x", }, }, { category: "product_version", name: "spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", product: { name: "spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", product_id: "spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", }, }, { category: "product_version", name: "spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", product: { name: "spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", product_id: "spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", }, }, { category: "product_version", name: "spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", product: { name: "spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", product_id: "spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", }, }, { category: "product_version", name: "spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", product: { name: "spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", product_id: "spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", }, }, { category: "product_version", name: "spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", product: { name: "spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", product_id: "spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", }, }, { category: "product_version", name: "spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", product: { name: "spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", product_id: "spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", }, }, { category: "product_version", name: "spacewalk-branding-2.1.33.10-0.7.16.s390x", product: { name: "spacewalk-branding-2.1.33.10-0.7.16.s390x", product_id: "spacewalk-branding-2.1.33.10-0.7.16.s390x", }, }, { category: "product_version", name: "spacewalksd-5.0.14.6-0.7.15.s390x", product: { name: "spacewalksd-5.0.14.6-0.7.15.s390x", product_id: "spacewalksd-5.0.14.6-0.7.15.s390x", }, }, { category: "product_version", name: "suseRegisterInfo-2.1.9-0.7.29.s390x", product: { name: "suseRegisterInfo-2.1.9-0.7.29.s390x", product_id: "suseRegisterInfo-2.1.9-0.7.29.s390x", }, }, { category: "product_version", name: "susemanager-2.1.17-0.7.11.s390x", product: { name: "susemanager-2.1.17-0.7.11.s390x", product_id: "susemanager-2.1.17-0.7.11.s390x", }, }, { category: "product_version", name: "susemanager-tools-2.1.17-0.7.11.s390x", product: { name: "susemanager-tools-2.1.17-0.7.11.s390x", product_id: "susemanager-tools-2.1.17-0.7.11.s390x", }, }, { category: "product_version", name: "tanukiwrapper-3.2.3-0.10.12.s390x", product: { name: "tanukiwrapper-3.2.3-0.10.12.s390x", product_id: "tanukiwrapper-3.2.3-0.10.12.s390x", }, }, { category: "product_version", name: "yum-3.2.29-0.19.30.s390x", product: { name: "yum-3.2.29-0.19.30.s390x", product_id: "yum-3.2.29-0.19.30.s390x", }, }, { category: "product_version", name: "yum-common-3.2.29-0.19.30.s390x", product: { name: "yum-common-3.2.29-0.19.30.s390x", product_id: "yum-common-3.2.29-0.19.30.s390x", }, }, { category: "product_version", name: "zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", product: { name: "zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", product_id: "zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_name", name: "SUSE Manager 2.1", product: { name: "SUSE Manager 2.1", product_id: "SUSE Manager 2.1", product_identification_helper: { cpe: "cpe:/o:suse:suse-manager-server:2.1", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "apache2-mod_wsgi-3.3-5.7.17.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:apache2-mod_wsgi-3.3-5.7.17.s390x", }, product_reference: "apache2-mod_wsgi-3.3-5.7.17.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", }, product_reference: "auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", }, product_reference: "auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", }, product_reference: "auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", }, product_reference: "auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", }, product_reference: "auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "cobbler-2.2.2-0.54.9.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:cobbler-2.2.2-0.54.9.s390x", }, product_reference: "cobbler-2.2.2-0.54.9.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "google-gson-2.2.4-0.7.52.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:google-gson-2.2.4-0.7.52.noarch", }, product_reference: "google-gson-2.2.4-0.7.52.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "libyaml-0-2-0.1.3-0.10.16.11.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:libyaml-0-2-0.1.3-0.10.16.11.s390x", }, product_reference: "libyaml-0-2-0.1.3-0.10.16.11.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "oracle-config-1.1-0.10.10.16.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:oracle-config-1.1-0.10.10.16.noarch", }, product_reference: "oracle-config-1.1-0.10.10.16.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "osa-dispatcher-5.11.33.7-0.7.16.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:osa-dispatcher-5.11.33.7-0.7.16.noarch", }, product_reference: "osa-dispatcher-5.11.33.7-0.7.16.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "perl-Class-Singleton-1.4-4.13.38.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:perl-Class-Singleton-1.4-4.13.38.noarch", }, product_reference: "perl-Class-Singleton-1.4-4.13.38.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", }, product_reference: "perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "perl-Satcon-1.20.2-0.7.6.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:perl-Satcon-1.20.2-0.7.6.noarch", }, product_reference: "perl-Satcon-1.20.2-0.7.6.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", }, product_reference: "perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "postgresql91-pltcl-9.1.15-0.3.1.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1.s390x", }, product_reference: "postgresql91-pltcl-9.1.15-0.3.1.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "pxe-default-image-0.1-0.20.56.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:pxe-default-image-0.1-0.20.56.noarch", }, product_reference: "pxe-default-image-0.1-0.20.56.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "python-enum34-1.0-0.7.33.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:python-enum34-1.0-0.7.33.s390x", }, product_reference: "python-enum34-1.0-0.7.33.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "python-gzipstream-1.10.2.2-0.7.6.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:python-gzipstream-1.10.2.2-0.7.6.s390x", }, product_reference: "python-gzipstream-1.10.2.2-0.7.6.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "rhn-custom-info-5.4.22.6-0.7.13.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:rhn-custom-info-5.4.22.6-0.7.13.noarch", }, product_reference: "rhn-custom-info-5.4.22.6-0.7.13.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "rhnlib-2.5.69.6-0.7.6.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:rhnlib-2.5.69.6-0.7.6.s390x", }, product_reference: "rhnlib-2.5.69.6-0.7.6.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "rhnmd-5.3.18.4-0.7.15.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:rhnmd-5.3.18.4-0.7.15.noarch", }, product_reference: "rhnmd-5.3.18.4-0.7.15.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "rhnpush-5.5.71.7-0.7.16.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:rhnpush-5.5.71.7-0.7.16.noarch", }, product_reference: "rhnpush-5.5.71.7-0.7.16.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "sm-ncc-sync-data-2.1.9-0.7.6.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:sm-ncc-sync-data-2.1.9-0.7.6.noarch", }, product_reference: "sm-ncc-sync-data-2.1.9-0.7.6.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "smdba-1.5.1-0.7.6.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:smdba-1.5.1-0.7.6.s390x", }, product_reference: "smdba-1.5.1-0.7.6.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacecmd-2.1.25.7-0.7.9.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacecmd-2.1.25.7-0.7.9.s390x", }, product_reference: "spacecmd-2.1.25.7-0.7.9.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-admin-2.1.2.4-0.7.6.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-admin-2.1.2.4-0.7.6.noarch", }, product_reference: "spacewalk-admin-2.1.2.4-0.7.6.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-2.1.55.15-0.7.11.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-backend-2.1.55.15-0.7.11.s390x", }, product_reference: "spacewalk-backend-2.1.55.15-0.7.11.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-app-2.1.55.15-0.7.11.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-backend-app-2.1.55.15-0.7.11.s390x", }, product_reference: "spacewalk-backend-app-2.1.55.15-0.7.11.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-applet-2.1.55.15-0.7.11.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", }, product_reference: "spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", }, product_reference: "spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", }, product_reference: "spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", }, product_reference: "spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-iss-2.1.55.15-0.7.11.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", }, product_reference: "spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", }, product_reference: "spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-libs-2.1.55.15-0.7.11.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", }, product_reference: "spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", }, product_reference: "spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-server-2.1.55.15-0.7.11.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-backend-server-2.1.55.15-0.7.11.s390x", }, product_reference: "spacewalk-backend-server-2.1.55.15-0.7.11.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-sql-2.1.55.15-0.7.11.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", }, product_reference: "spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", }, product_reference: "spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", }, product_reference: "spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-tools-2.1.55.15-0.7.11.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", }, product_reference: "spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", }, product_reference: "spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", }, product_reference: "spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-base-2.1.60.12-0.7.7.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-base-2.1.60.12-0.7.7.noarch", }, product_reference: "spacewalk-base-2.1.60.12-0.7.7.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-base-minimal-2.1.60.12-0.7.7.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", }, product_reference: "spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", }, product_reference: "spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-branding-2.1.33.10-0.7.16.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-branding-2.1.33.10-0.7.16.s390x", }, product_reference: "spacewalk-branding-2.1.33.10-0.7.16.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-certs-tools-2.1.6.5-0.7.10.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", }, product_reference: "spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-check-2.1.16.6-0.7.9.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-check-2.1.16.6-0.7.9.noarch", }, product_reference: "spacewalk-check-2.1.16.6-0.7.9.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-client-setup-2.1.16.6-0.7.9.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-client-setup-2.1.16.6-0.7.9.noarch", }, product_reference: "spacewalk-client-setup-2.1.16.6-0.7.9.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-client-tools-2.1.16.6-0.7.9.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-client-tools-2.1.16.6-0.7.9.noarch", }, product_reference: "spacewalk-client-tools-2.1.16.6-0.7.9.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-config-2.1.5.4-0.7.15.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-config-2.1.5.4-0.7.15.noarch", }, product_reference: "spacewalk-config-2.1.5.4-0.7.15.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", }, product_reference: "spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-grail-2.1.60.12-0.7.7.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-grail-2.1.60.12-0.7.7.noarch", }, product_reference: "spacewalk-grail-2.1.60.12-0.7.7.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-html-2.1.60.12-0.7.7.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-html-2.1.60.12-0.7.7.noarch", }, product_reference: "spacewalk-html-2.1.60.12-0.7.7.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-java-2.1.165.14-0.7.16.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-java-2.1.165.14-0.7.16.noarch", }, product_reference: "spacewalk-java-2.1.165.14-0.7.16.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-java-config-2.1.165.14-0.7.16.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-java-config-2.1.165.14-0.7.16.noarch", }, product_reference: "spacewalk-java-config-2.1.165.14-0.7.16.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-java-lib-2.1.165.14-0.7.16.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-java-lib-2.1.165.14-0.7.16.noarch", }, product_reference: "spacewalk-java-lib-2.1.165.14-0.7.16.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-java-oracle-2.1.165.14-0.7.16.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", }, product_reference: "spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", }, product_reference: "spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-pxt-2.1.60.12-0.7.7.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-pxt-2.1.60.12-0.7.7.noarch", }, product_reference: "spacewalk-pxt-2.1.60.12-0.7.7.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-reports-2.1.14.8-0.7.10.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-reports-2.1.14.8-0.7.10.noarch", }, product_reference: "spacewalk-reports-2.1.14.8-0.7.10.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-search-2.1.14.6-0.7.18.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-search-2.1.14.6-0.7.18.noarch", }, product_reference: "spacewalk-search-2.1.14.6-0.7.18.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-setup-2.1.14.9-0.7.6.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-setup-2.1.14.9-0.7.6.noarch", }, product_reference: "spacewalk-setup-2.1.14.9-0.7.6.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", }, product_reference: "spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-sniglets-2.1.60.12-0.7.7.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-sniglets-2.1.60.12-0.7.7.noarch", }, product_reference: "spacewalk-sniglets-2.1.60.12-0.7.7.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-taskomatic-2.1.165.14-0.7.16.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", }, product_reference: "spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalk-utils-2.1.27.12-0.7.25.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalk-utils-2.1.27.12-0.7.25.noarch", }, product_reference: "spacewalk-utils-2.1.27.12-0.7.25.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "spacewalksd-5.0.14.6-0.7.15.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:spacewalksd-5.0.14.6-0.7.15.s390x", }, product_reference: "spacewalksd-5.0.14.6-0.7.15.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "struts-1.2.9-162.33.22.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:struts-1.2.9-162.33.22.noarch", }, product_reference: "struts-1.2.9-162.33.22.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "supportutils-plugin-susemanager-1.0.3-0.5.5.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", }, product_reference: "supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", }, product_reference: "supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "suseRegisterInfo-2.1.9-0.7.29.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:suseRegisterInfo-2.1.9-0.7.29.s390x", }, product_reference: "suseRegisterInfo-2.1.9-0.7.29.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "susemanager-2.1.17-0.7.11.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:susemanager-2.1.17-0.7.11.s390x", }, product_reference: "susemanager-2.1.17-0.7.11.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "susemanager-client-config_en-pdf-2.1-0.15.24.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:susemanager-client-config_en-pdf-2.1-0.15.24.noarch", }, product_reference: "susemanager-client-config_en-pdf-2.1-0.15.24.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "susemanager-install_en-pdf-2.1-0.15.24.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:susemanager-install_en-pdf-2.1-0.15.24.noarch", }, product_reference: "susemanager-install_en-pdf-2.1-0.15.24.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "susemanager-jsp_en-2.1-0.15.23.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:susemanager-jsp_en-2.1-0.15.23.noarch", }, product_reference: "susemanager-jsp_en-2.1-0.15.23.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "susemanager-manuals_en-2.1-0.15.24.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:susemanager-manuals_en-2.1-0.15.24.noarch", }, product_reference: "susemanager-manuals_en-2.1-0.15.24.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", }, product_reference: "susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "susemanager-reference_en-pdf-2.1-0.15.24.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:susemanager-reference_en-pdf-2.1-0.15.24.noarch", }, product_reference: "susemanager-reference_en-pdf-2.1-0.15.24.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "susemanager-schema-2.1.50.11-0.7.8.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:susemanager-schema-2.1.50.11-0.7.8.noarch", }, product_reference: "susemanager-schema-2.1.50.11-0.7.8.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "susemanager-sync-data-2.1.5-0.7.6.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:susemanager-sync-data-2.1.5-0.7.6.noarch", }, product_reference: "susemanager-sync-data-2.1.5-0.7.6.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "susemanager-tools-2.1.17-0.7.11.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:susemanager-tools-2.1.17-0.7.11.s390x", }, product_reference: "susemanager-tools-2.1.17-0.7.11.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "susemanager-user_en-pdf-2.1-0.15.24.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:susemanager-user_en-pdf-2.1-0.15.24.noarch", }, product_reference: "susemanager-user_en-pdf-2.1-0.15.24.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "tanukiwrapper-3.2.3-0.10.12.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:tanukiwrapper-3.2.3-0.10.12.s390x", }, product_reference: "tanukiwrapper-3.2.3-0.10.12.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "yum-3.2.29-0.19.30.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:yum-3.2.29-0.19.30.s390x", }, product_reference: "yum-3.2.29-0.19.30.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "yum-common-3.2.29-0.19.30.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:yum-common-3.2.29-0.19.30.s390x", }, product_reference: "yum-common-3.2.29-0.19.30.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, { category: "default_component_of", full_product_name: { name: "zypp-plugin-spacewalk-0.9.8-0.15.51.s390x as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", }, product_reference: "zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", relates_to_product_reference: "SUSE Manager 2.1", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2014-0114", }, ], notes: [ { category: "general", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Manager 2.1:apache2-mod_wsgi-3.3-5.7.17.s390x", "SUSE Manager 2.1:auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:cobbler-2.2.2-0.54.9.s390x", "SUSE Manager 2.1:google-gson-2.2.4-0.7.52.noarch", "SUSE Manager 2.1:libyaml-0-2-0.1.3-0.10.16.11.s390x", "SUSE Manager 2.1:oracle-config-1.1-0.10.10.16.noarch", "SUSE Manager 2.1:osa-dispatcher-5.11.33.7-0.7.16.noarch", "SUSE Manager 2.1:perl-Class-Singleton-1.4-4.13.38.noarch", "SUSE Manager 2.1:perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", "SUSE Manager 2.1:perl-Satcon-1.20.2-0.7.6.noarch", "SUSE Manager 2.1:perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1.s390x", "SUSE Manager 2.1:pxe-default-image-0.1-0.20.56.noarch", "SUSE Manager 2.1:python-enum34-1.0-0.7.33.s390x", "SUSE Manager 2.1:python-gzipstream-1.10.2.2-0.7.6.s390x", "SUSE Manager 2.1:rhn-custom-info-5.4.22.6-0.7.13.noarch", "SUSE Manager 2.1:rhnlib-2.5.69.6-0.7.6.s390x", "SUSE Manager 2.1:rhnmd-5.3.18.4-0.7.15.noarch", "SUSE Manager 2.1:rhnpush-5.5.71.7-0.7.16.noarch", "SUSE Manager 2.1:sm-ncc-sync-data-2.1.9-0.7.6.noarch", "SUSE Manager 2.1:smdba-1.5.1-0.7.6.s390x", "SUSE Manager 2.1:spacecmd-2.1.25.7-0.7.9.s390x", "SUSE Manager 2.1:spacewalk-admin-2.1.2.4-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-backend-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-app-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-base-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-branding-2.1.33.10-0.7.16.s390x", "SUSE Manager 2.1:spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-check-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-setup-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-tools-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-config-2.1.5.4-0.7.15.noarch", "SUSE Manager 2.1:spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", "SUSE Manager 2.1:spacewalk-grail-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-html-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-java-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-config-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-lib-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-pxt-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-reports-2.1.14.8-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-search-2.1.14.6-0.7.18.noarch", "SUSE Manager 2.1:spacewalk-setup-2.1.14.9-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-sniglets-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-utils-2.1.27.12-0.7.25.noarch", "SUSE Manager 2.1:spacewalksd-5.0.14.6-0.7.15.s390x", "SUSE Manager 2.1:struts-1.2.9-162.33.22.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", "SUSE Manager 2.1:suseRegisterInfo-2.1.9-0.7.29.s390x", "SUSE Manager 2.1:susemanager-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-client-config_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-install_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-jsp_en-2.1-0.15.23.noarch", "SUSE Manager 2.1:susemanager-manuals_en-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-reference_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-schema-2.1.50.11-0.7.8.noarch", "SUSE Manager 2.1:susemanager-sync-data-2.1.5-0.7.6.noarch", "SUSE Manager 2.1:susemanager-tools-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-user_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:tanukiwrapper-3.2.3-0.10.12.s390x", "SUSE Manager 2.1:yum-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:yum-common-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", ], }, references: [ { category: "external", summary: "CVE-2014-0114", url: "https://www.suse.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "SUSE Bug 778464 for CVE-2014-0114", url: "https://bugzilla.suse.com/778464", }, { category: "external", summary: "SUSE Bug 875455 for CVE-2014-0114", url: "https://bugzilla.suse.com/875455", }, { category: "external", summary: "SUSE Bug 885963 for CVE-2014-0114", url: "https://bugzilla.suse.com/885963", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Manager 2.1:apache2-mod_wsgi-3.3-5.7.17.s390x", "SUSE Manager 2.1:auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:cobbler-2.2.2-0.54.9.s390x", "SUSE Manager 2.1:google-gson-2.2.4-0.7.52.noarch", "SUSE Manager 2.1:libyaml-0-2-0.1.3-0.10.16.11.s390x", "SUSE Manager 2.1:oracle-config-1.1-0.10.10.16.noarch", "SUSE Manager 2.1:osa-dispatcher-5.11.33.7-0.7.16.noarch", "SUSE Manager 2.1:perl-Class-Singleton-1.4-4.13.38.noarch", "SUSE Manager 2.1:perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", "SUSE Manager 2.1:perl-Satcon-1.20.2-0.7.6.noarch", "SUSE Manager 2.1:perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1.s390x", "SUSE Manager 2.1:pxe-default-image-0.1-0.20.56.noarch", "SUSE Manager 2.1:python-enum34-1.0-0.7.33.s390x", "SUSE Manager 2.1:python-gzipstream-1.10.2.2-0.7.6.s390x", "SUSE Manager 2.1:rhn-custom-info-5.4.22.6-0.7.13.noarch", "SUSE Manager 2.1:rhnlib-2.5.69.6-0.7.6.s390x", "SUSE Manager 2.1:rhnmd-5.3.18.4-0.7.15.noarch", "SUSE Manager 2.1:rhnpush-5.5.71.7-0.7.16.noarch", "SUSE Manager 2.1:sm-ncc-sync-data-2.1.9-0.7.6.noarch", "SUSE Manager 2.1:smdba-1.5.1-0.7.6.s390x", "SUSE Manager 2.1:spacecmd-2.1.25.7-0.7.9.s390x", "SUSE Manager 2.1:spacewalk-admin-2.1.2.4-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-backend-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-app-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-base-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-branding-2.1.33.10-0.7.16.s390x", "SUSE Manager 2.1:spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-check-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-setup-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-tools-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-config-2.1.5.4-0.7.15.noarch", "SUSE Manager 2.1:spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", "SUSE Manager 2.1:spacewalk-grail-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-html-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-java-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-config-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-lib-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-pxt-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-reports-2.1.14.8-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-search-2.1.14.6-0.7.18.noarch", "SUSE Manager 2.1:spacewalk-setup-2.1.14.9-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-sniglets-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-utils-2.1.27.12-0.7.25.noarch", "SUSE Manager 2.1:spacewalksd-5.0.14.6-0.7.15.s390x", "SUSE Manager 2.1:struts-1.2.9-162.33.22.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", "SUSE Manager 2.1:suseRegisterInfo-2.1.9-0.7.29.s390x", "SUSE Manager 2.1:susemanager-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-client-config_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-install_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-jsp_en-2.1-0.15.23.noarch", "SUSE Manager 2.1:susemanager-manuals_en-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-reference_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-schema-2.1.50.11-0.7.8.noarch", "SUSE Manager 2.1:susemanager-sync-data-2.1.5-0.7.6.noarch", "SUSE Manager 2.1:susemanager-tools-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-user_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:tanukiwrapper-3.2.3-0.10.12.s390x", "SUSE Manager 2.1:yum-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:yum-common-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", ], }, ], threats: [ { category: "impact", date: "2015-02-25T20:05:05Z", details: "important", }, ], title: "CVE-2014-0114", }, { cve: "CVE-2014-0240", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2014-0240", }, ], notes: [ { category: "general", text: "The mod_wsgi module before 3.5 for Apache, when daemon mode is enabled, does not properly handle error codes returned by setuid when run on certain Linux kernels, which allows local users to gain privileges via vectors related to the number of running processes.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Manager 2.1:apache2-mod_wsgi-3.3-5.7.17.s390x", "SUSE Manager 2.1:auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:cobbler-2.2.2-0.54.9.s390x", "SUSE Manager 2.1:google-gson-2.2.4-0.7.52.noarch", "SUSE Manager 2.1:libyaml-0-2-0.1.3-0.10.16.11.s390x", "SUSE Manager 2.1:oracle-config-1.1-0.10.10.16.noarch", "SUSE Manager 2.1:osa-dispatcher-5.11.33.7-0.7.16.noarch", "SUSE Manager 2.1:perl-Class-Singleton-1.4-4.13.38.noarch", "SUSE Manager 2.1:perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", "SUSE Manager 2.1:perl-Satcon-1.20.2-0.7.6.noarch", "SUSE Manager 2.1:perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1.s390x", "SUSE Manager 2.1:pxe-default-image-0.1-0.20.56.noarch", "SUSE Manager 2.1:python-enum34-1.0-0.7.33.s390x", "SUSE Manager 2.1:python-gzipstream-1.10.2.2-0.7.6.s390x", "SUSE Manager 2.1:rhn-custom-info-5.4.22.6-0.7.13.noarch", "SUSE Manager 2.1:rhnlib-2.5.69.6-0.7.6.s390x", "SUSE Manager 2.1:rhnmd-5.3.18.4-0.7.15.noarch", "SUSE Manager 2.1:rhnpush-5.5.71.7-0.7.16.noarch", "SUSE Manager 2.1:sm-ncc-sync-data-2.1.9-0.7.6.noarch", "SUSE Manager 2.1:smdba-1.5.1-0.7.6.s390x", "SUSE Manager 2.1:spacecmd-2.1.25.7-0.7.9.s390x", "SUSE Manager 2.1:spacewalk-admin-2.1.2.4-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-backend-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-app-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-base-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-branding-2.1.33.10-0.7.16.s390x", "SUSE Manager 2.1:spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-check-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-setup-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-tools-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-config-2.1.5.4-0.7.15.noarch", "SUSE Manager 2.1:spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", "SUSE Manager 2.1:spacewalk-grail-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-html-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-java-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-config-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-lib-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-pxt-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-reports-2.1.14.8-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-search-2.1.14.6-0.7.18.noarch", "SUSE Manager 2.1:spacewalk-setup-2.1.14.9-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-sniglets-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-utils-2.1.27.12-0.7.25.noarch", "SUSE Manager 2.1:spacewalksd-5.0.14.6-0.7.15.s390x", "SUSE Manager 2.1:struts-1.2.9-162.33.22.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", "SUSE Manager 2.1:suseRegisterInfo-2.1.9-0.7.29.s390x", "SUSE Manager 2.1:susemanager-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-client-config_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-install_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-jsp_en-2.1-0.15.23.noarch", "SUSE Manager 2.1:susemanager-manuals_en-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-reference_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-schema-2.1.50.11-0.7.8.noarch", "SUSE Manager 2.1:susemanager-sync-data-2.1.5-0.7.6.noarch", "SUSE Manager 2.1:susemanager-tools-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-user_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:tanukiwrapper-3.2.3-0.10.12.s390x", "SUSE Manager 2.1:yum-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:yum-common-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", ], }, references: [ { category: "external", summary: "CVE-2014-0240", url: "https://www.suse.com/security/cve/CVE-2014-0240", }, { category: "external", summary: "SUSE Bug 878550 for CVE-2014-0240", url: "https://bugzilla.suse.com/878550", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Manager 2.1:apache2-mod_wsgi-3.3-5.7.17.s390x", "SUSE Manager 2.1:auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:cobbler-2.2.2-0.54.9.s390x", "SUSE Manager 2.1:google-gson-2.2.4-0.7.52.noarch", "SUSE Manager 2.1:libyaml-0-2-0.1.3-0.10.16.11.s390x", "SUSE Manager 2.1:oracle-config-1.1-0.10.10.16.noarch", "SUSE Manager 2.1:osa-dispatcher-5.11.33.7-0.7.16.noarch", "SUSE Manager 2.1:perl-Class-Singleton-1.4-4.13.38.noarch", "SUSE Manager 2.1:perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", "SUSE Manager 2.1:perl-Satcon-1.20.2-0.7.6.noarch", "SUSE Manager 2.1:perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1.s390x", "SUSE Manager 2.1:pxe-default-image-0.1-0.20.56.noarch", "SUSE Manager 2.1:python-enum34-1.0-0.7.33.s390x", "SUSE Manager 2.1:python-gzipstream-1.10.2.2-0.7.6.s390x", "SUSE Manager 2.1:rhn-custom-info-5.4.22.6-0.7.13.noarch", "SUSE Manager 2.1:rhnlib-2.5.69.6-0.7.6.s390x", "SUSE Manager 2.1:rhnmd-5.3.18.4-0.7.15.noarch", "SUSE Manager 2.1:rhnpush-5.5.71.7-0.7.16.noarch", "SUSE Manager 2.1:sm-ncc-sync-data-2.1.9-0.7.6.noarch", "SUSE Manager 2.1:smdba-1.5.1-0.7.6.s390x", "SUSE Manager 2.1:spacecmd-2.1.25.7-0.7.9.s390x", "SUSE Manager 2.1:spacewalk-admin-2.1.2.4-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-backend-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-app-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-base-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-branding-2.1.33.10-0.7.16.s390x", "SUSE Manager 2.1:spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-check-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-setup-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-tools-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-config-2.1.5.4-0.7.15.noarch", "SUSE Manager 2.1:spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", "SUSE Manager 2.1:spacewalk-grail-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-html-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-java-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-config-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-lib-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-pxt-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-reports-2.1.14.8-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-search-2.1.14.6-0.7.18.noarch", "SUSE Manager 2.1:spacewalk-setup-2.1.14.9-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-sniglets-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-utils-2.1.27.12-0.7.25.noarch", "SUSE Manager 2.1:spacewalksd-5.0.14.6-0.7.15.s390x", "SUSE Manager 2.1:struts-1.2.9-162.33.22.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", "SUSE Manager 2.1:suseRegisterInfo-2.1.9-0.7.29.s390x", "SUSE Manager 2.1:susemanager-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-client-config_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-install_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-jsp_en-2.1-0.15.23.noarch", "SUSE Manager 2.1:susemanager-manuals_en-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-reference_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-schema-2.1.50.11-0.7.8.noarch", "SUSE Manager 2.1:susemanager-sync-data-2.1.5-0.7.6.noarch", "SUSE Manager 2.1:susemanager-tools-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-user_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:tanukiwrapper-3.2.3-0.10.12.s390x", "SUSE Manager 2.1:yum-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:yum-common-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", ], }, ], threats: [ { category: "impact", date: "2015-02-25T20:05:05Z", details: "important", }, ], title: "CVE-2014-0240", }, { cve: "CVE-2014-0242", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2014-0242", }, ], notes: [ { category: "general", text: "mod_wsgi module before 3.4 for Apache, when used in embedded mode, might allow remote attackers to obtain sensitive information via the Content-Type header which is generated from memory that may have been freed and then overwritten by a separate thread.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Manager 2.1:apache2-mod_wsgi-3.3-5.7.17.s390x", "SUSE Manager 2.1:auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:cobbler-2.2.2-0.54.9.s390x", "SUSE Manager 2.1:google-gson-2.2.4-0.7.52.noarch", "SUSE Manager 2.1:libyaml-0-2-0.1.3-0.10.16.11.s390x", "SUSE Manager 2.1:oracle-config-1.1-0.10.10.16.noarch", "SUSE Manager 2.1:osa-dispatcher-5.11.33.7-0.7.16.noarch", "SUSE Manager 2.1:perl-Class-Singleton-1.4-4.13.38.noarch", "SUSE Manager 2.1:perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", "SUSE Manager 2.1:perl-Satcon-1.20.2-0.7.6.noarch", "SUSE Manager 2.1:perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1.s390x", "SUSE Manager 2.1:pxe-default-image-0.1-0.20.56.noarch", "SUSE Manager 2.1:python-enum34-1.0-0.7.33.s390x", "SUSE Manager 2.1:python-gzipstream-1.10.2.2-0.7.6.s390x", "SUSE Manager 2.1:rhn-custom-info-5.4.22.6-0.7.13.noarch", "SUSE Manager 2.1:rhnlib-2.5.69.6-0.7.6.s390x", "SUSE Manager 2.1:rhnmd-5.3.18.4-0.7.15.noarch", "SUSE Manager 2.1:rhnpush-5.5.71.7-0.7.16.noarch", "SUSE Manager 2.1:sm-ncc-sync-data-2.1.9-0.7.6.noarch", "SUSE Manager 2.1:smdba-1.5.1-0.7.6.s390x", "SUSE Manager 2.1:spacecmd-2.1.25.7-0.7.9.s390x", "SUSE Manager 2.1:spacewalk-admin-2.1.2.4-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-backend-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-app-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-base-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-branding-2.1.33.10-0.7.16.s390x", "SUSE Manager 2.1:spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-check-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-setup-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-tools-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-config-2.1.5.4-0.7.15.noarch", "SUSE Manager 2.1:spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", "SUSE Manager 2.1:spacewalk-grail-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-html-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-java-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-config-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-lib-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-pxt-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-reports-2.1.14.8-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-search-2.1.14.6-0.7.18.noarch", "SUSE Manager 2.1:spacewalk-setup-2.1.14.9-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-sniglets-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-utils-2.1.27.12-0.7.25.noarch", "SUSE Manager 2.1:spacewalksd-5.0.14.6-0.7.15.s390x", "SUSE Manager 2.1:struts-1.2.9-162.33.22.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", "SUSE Manager 2.1:suseRegisterInfo-2.1.9-0.7.29.s390x", "SUSE Manager 2.1:susemanager-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-client-config_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-install_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-jsp_en-2.1-0.15.23.noarch", "SUSE Manager 2.1:susemanager-manuals_en-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-reference_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-schema-2.1.50.11-0.7.8.noarch", "SUSE Manager 2.1:susemanager-sync-data-2.1.5-0.7.6.noarch", "SUSE Manager 2.1:susemanager-tools-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-user_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:tanukiwrapper-3.2.3-0.10.12.s390x", "SUSE Manager 2.1:yum-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:yum-common-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", ], }, references: [ { category: "external", summary: "CVE-2014-0242", url: "https://www.suse.com/security/cve/CVE-2014-0242", }, { category: "external", summary: "SUSE Bug 878553 for CVE-2014-0242", url: "https://bugzilla.suse.com/878553", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Manager 2.1:apache2-mod_wsgi-3.3-5.7.17.s390x", "SUSE Manager 2.1:auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:cobbler-2.2.2-0.54.9.s390x", "SUSE Manager 2.1:google-gson-2.2.4-0.7.52.noarch", "SUSE Manager 2.1:libyaml-0-2-0.1.3-0.10.16.11.s390x", "SUSE Manager 2.1:oracle-config-1.1-0.10.10.16.noarch", "SUSE Manager 2.1:osa-dispatcher-5.11.33.7-0.7.16.noarch", "SUSE Manager 2.1:perl-Class-Singleton-1.4-4.13.38.noarch", "SUSE Manager 2.1:perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", "SUSE Manager 2.1:perl-Satcon-1.20.2-0.7.6.noarch", "SUSE Manager 2.1:perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1.s390x", "SUSE Manager 2.1:pxe-default-image-0.1-0.20.56.noarch", "SUSE Manager 2.1:python-enum34-1.0-0.7.33.s390x", "SUSE Manager 2.1:python-gzipstream-1.10.2.2-0.7.6.s390x", "SUSE Manager 2.1:rhn-custom-info-5.4.22.6-0.7.13.noarch", "SUSE Manager 2.1:rhnlib-2.5.69.6-0.7.6.s390x", "SUSE Manager 2.1:rhnmd-5.3.18.4-0.7.15.noarch", "SUSE Manager 2.1:rhnpush-5.5.71.7-0.7.16.noarch", "SUSE Manager 2.1:sm-ncc-sync-data-2.1.9-0.7.6.noarch", "SUSE Manager 2.1:smdba-1.5.1-0.7.6.s390x", "SUSE Manager 2.1:spacecmd-2.1.25.7-0.7.9.s390x", "SUSE Manager 2.1:spacewalk-admin-2.1.2.4-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-backend-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-app-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-base-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-branding-2.1.33.10-0.7.16.s390x", "SUSE Manager 2.1:spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-check-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-setup-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-tools-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-config-2.1.5.4-0.7.15.noarch", "SUSE Manager 2.1:spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", "SUSE Manager 2.1:spacewalk-grail-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-html-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-java-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-config-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-lib-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-pxt-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-reports-2.1.14.8-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-search-2.1.14.6-0.7.18.noarch", "SUSE Manager 2.1:spacewalk-setup-2.1.14.9-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-sniglets-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-utils-2.1.27.12-0.7.25.noarch", "SUSE Manager 2.1:spacewalksd-5.0.14.6-0.7.15.s390x", "SUSE Manager 2.1:struts-1.2.9-162.33.22.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", "SUSE Manager 2.1:suseRegisterInfo-2.1.9-0.7.29.s390x", "SUSE Manager 2.1:susemanager-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-client-config_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-install_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-jsp_en-2.1-0.15.23.noarch", "SUSE Manager 2.1:susemanager-manuals_en-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-reference_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-schema-2.1.50.11-0.7.8.noarch", "SUSE Manager 2.1:susemanager-sync-data-2.1.5-0.7.6.noarch", "SUSE Manager 2.1:susemanager-tools-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-user_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:tanukiwrapper-3.2.3-0.10.12.s390x", "SUSE Manager 2.1:yum-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:yum-common-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "SUSE Manager 2.1:apache2-mod_wsgi-3.3-5.7.17.s390x", "SUSE Manager 2.1:auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:cobbler-2.2.2-0.54.9.s390x", "SUSE Manager 2.1:google-gson-2.2.4-0.7.52.noarch", "SUSE Manager 2.1:libyaml-0-2-0.1.3-0.10.16.11.s390x", "SUSE Manager 2.1:oracle-config-1.1-0.10.10.16.noarch", "SUSE Manager 2.1:osa-dispatcher-5.11.33.7-0.7.16.noarch", "SUSE Manager 2.1:perl-Class-Singleton-1.4-4.13.38.noarch", "SUSE Manager 2.1:perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", "SUSE Manager 2.1:perl-Satcon-1.20.2-0.7.6.noarch", "SUSE Manager 2.1:perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1.s390x", "SUSE Manager 2.1:pxe-default-image-0.1-0.20.56.noarch", "SUSE Manager 2.1:python-enum34-1.0-0.7.33.s390x", "SUSE Manager 2.1:python-gzipstream-1.10.2.2-0.7.6.s390x", "SUSE Manager 2.1:rhn-custom-info-5.4.22.6-0.7.13.noarch", "SUSE Manager 2.1:rhnlib-2.5.69.6-0.7.6.s390x", "SUSE Manager 2.1:rhnmd-5.3.18.4-0.7.15.noarch", "SUSE Manager 2.1:rhnpush-5.5.71.7-0.7.16.noarch", "SUSE Manager 2.1:sm-ncc-sync-data-2.1.9-0.7.6.noarch", "SUSE Manager 2.1:smdba-1.5.1-0.7.6.s390x", "SUSE Manager 2.1:spacecmd-2.1.25.7-0.7.9.s390x", "SUSE Manager 2.1:spacewalk-admin-2.1.2.4-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-backend-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-app-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-base-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-branding-2.1.33.10-0.7.16.s390x", "SUSE Manager 2.1:spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-check-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-setup-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-tools-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-config-2.1.5.4-0.7.15.noarch", "SUSE Manager 2.1:spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", "SUSE Manager 2.1:spacewalk-grail-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-html-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-java-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-config-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-lib-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-pxt-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-reports-2.1.14.8-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-search-2.1.14.6-0.7.18.noarch", "SUSE Manager 2.1:spacewalk-setup-2.1.14.9-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-sniglets-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-utils-2.1.27.12-0.7.25.noarch", "SUSE Manager 2.1:spacewalksd-5.0.14.6-0.7.15.s390x", "SUSE Manager 2.1:struts-1.2.9-162.33.22.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", "SUSE Manager 2.1:suseRegisterInfo-2.1.9-0.7.29.s390x", "SUSE Manager 2.1:susemanager-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-client-config_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-install_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-jsp_en-2.1-0.15.23.noarch", "SUSE Manager 2.1:susemanager-manuals_en-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-reference_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-schema-2.1.50.11-0.7.8.noarch", "SUSE Manager 2.1:susemanager-sync-data-2.1.5-0.7.6.noarch", "SUSE Manager 2.1:susemanager-tools-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-user_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:tanukiwrapper-3.2.3-0.10.12.s390x", "SUSE Manager 2.1:yum-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:yum-common-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", ], }, ], threats: [ { category: "impact", date: "2015-02-25T20:05:05Z", details: "important", }, ], title: "CVE-2014-0242", }, { cve: "CVE-2014-3654", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2014-3654", }, ], notes: [ { category: "general", text: "Multiple cross-site scripting (XSS) vulnerabilities in spacewalk-java 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.5 and 5.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) kickstart/cobbler/CustomSnippetList.do, (2) channels/software/Entitlements.do, or (3) admin/multiorg/OrgUsers.do.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Manager 2.1:apache2-mod_wsgi-3.3-5.7.17.s390x", "SUSE Manager 2.1:auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:cobbler-2.2.2-0.54.9.s390x", "SUSE Manager 2.1:google-gson-2.2.4-0.7.52.noarch", "SUSE Manager 2.1:libyaml-0-2-0.1.3-0.10.16.11.s390x", "SUSE Manager 2.1:oracle-config-1.1-0.10.10.16.noarch", "SUSE Manager 2.1:osa-dispatcher-5.11.33.7-0.7.16.noarch", "SUSE Manager 2.1:perl-Class-Singleton-1.4-4.13.38.noarch", "SUSE Manager 2.1:perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", "SUSE Manager 2.1:perl-Satcon-1.20.2-0.7.6.noarch", "SUSE Manager 2.1:perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1.s390x", "SUSE Manager 2.1:pxe-default-image-0.1-0.20.56.noarch", "SUSE Manager 2.1:python-enum34-1.0-0.7.33.s390x", "SUSE Manager 2.1:python-gzipstream-1.10.2.2-0.7.6.s390x", "SUSE Manager 2.1:rhn-custom-info-5.4.22.6-0.7.13.noarch", "SUSE Manager 2.1:rhnlib-2.5.69.6-0.7.6.s390x", "SUSE Manager 2.1:rhnmd-5.3.18.4-0.7.15.noarch", "SUSE Manager 2.1:rhnpush-5.5.71.7-0.7.16.noarch", "SUSE Manager 2.1:sm-ncc-sync-data-2.1.9-0.7.6.noarch", "SUSE Manager 2.1:smdba-1.5.1-0.7.6.s390x", "SUSE Manager 2.1:spacecmd-2.1.25.7-0.7.9.s390x", "SUSE Manager 2.1:spacewalk-admin-2.1.2.4-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-backend-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-app-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-base-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-branding-2.1.33.10-0.7.16.s390x", "SUSE Manager 2.1:spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-check-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-setup-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-tools-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-config-2.1.5.4-0.7.15.noarch", "SUSE Manager 2.1:spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", "SUSE Manager 2.1:spacewalk-grail-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-html-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-java-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-config-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-lib-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-pxt-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-reports-2.1.14.8-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-search-2.1.14.6-0.7.18.noarch", "SUSE Manager 2.1:spacewalk-setup-2.1.14.9-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-sniglets-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-utils-2.1.27.12-0.7.25.noarch", "SUSE Manager 2.1:spacewalksd-5.0.14.6-0.7.15.s390x", "SUSE Manager 2.1:struts-1.2.9-162.33.22.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", "SUSE Manager 2.1:suseRegisterInfo-2.1.9-0.7.29.s390x", "SUSE Manager 2.1:susemanager-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-client-config_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-install_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-jsp_en-2.1-0.15.23.noarch", "SUSE Manager 2.1:susemanager-manuals_en-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-reference_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-schema-2.1.50.11-0.7.8.noarch", "SUSE Manager 2.1:susemanager-sync-data-2.1.5-0.7.6.noarch", "SUSE Manager 2.1:susemanager-tools-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-user_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:tanukiwrapper-3.2.3-0.10.12.s390x", "SUSE Manager 2.1:yum-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:yum-common-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", ], }, references: [ { category: "external", summary: "CVE-2014-3654", url: "https://www.suse.com/security/cve/CVE-2014-3654", }, { category: "external", summary: "SUSE Bug 902182 for CVE-2014-3654", url: "https://bugzilla.suse.com/902182", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Manager 2.1:apache2-mod_wsgi-3.3-5.7.17.s390x", "SUSE Manager 2.1:auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:cobbler-2.2.2-0.54.9.s390x", "SUSE Manager 2.1:google-gson-2.2.4-0.7.52.noarch", "SUSE Manager 2.1:libyaml-0-2-0.1.3-0.10.16.11.s390x", "SUSE Manager 2.1:oracle-config-1.1-0.10.10.16.noarch", "SUSE Manager 2.1:osa-dispatcher-5.11.33.7-0.7.16.noarch", "SUSE Manager 2.1:perl-Class-Singleton-1.4-4.13.38.noarch", "SUSE Manager 2.1:perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", "SUSE Manager 2.1:perl-Satcon-1.20.2-0.7.6.noarch", "SUSE Manager 2.1:perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1.s390x", "SUSE Manager 2.1:pxe-default-image-0.1-0.20.56.noarch", "SUSE Manager 2.1:python-enum34-1.0-0.7.33.s390x", "SUSE Manager 2.1:python-gzipstream-1.10.2.2-0.7.6.s390x", "SUSE Manager 2.1:rhn-custom-info-5.4.22.6-0.7.13.noarch", "SUSE Manager 2.1:rhnlib-2.5.69.6-0.7.6.s390x", "SUSE Manager 2.1:rhnmd-5.3.18.4-0.7.15.noarch", "SUSE Manager 2.1:rhnpush-5.5.71.7-0.7.16.noarch", "SUSE Manager 2.1:sm-ncc-sync-data-2.1.9-0.7.6.noarch", "SUSE Manager 2.1:smdba-1.5.1-0.7.6.s390x", "SUSE Manager 2.1:spacecmd-2.1.25.7-0.7.9.s390x", "SUSE Manager 2.1:spacewalk-admin-2.1.2.4-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-backend-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-app-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-base-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-branding-2.1.33.10-0.7.16.s390x", "SUSE Manager 2.1:spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-check-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-setup-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-tools-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-config-2.1.5.4-0.7.15.noarch", "SUSE Manager 2.1:spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", "SUSE Manager 2.1:spacewalk-grail-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-html-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-java-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-config-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-lib-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-pxt-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-reports-2.1.14.8-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-search-2.1.14.6-0.7.18.noarch", "SUSE Manager 2.1:spacewalk-setup-2.1.14.9-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-sniglets-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-utils-2.1.27.12-0.7.25.noarch", "SUSE Manager 2.1:spacewalksd-5.0.14.6-0.7.15.s390x", "SUSE Manager 2.1:struts-1.2.9-162.33.22.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", "SUSE Manager 2.1:suseRegisterInfo-2.1.9-0.7.29.s390x", "SUSE Manager 2.1:susemanager-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-client-config_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-install_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-jsp_en-2.1-0.15.23.noarch", "SUSE Manager 2.1:susemanager-manuals_en-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-reference_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-schema-2.1.50.11-0.7.8.noarch", "SUSE Manager 2.1:susemanager-sync-data-2.1.5-0.7.6.noarch", "SUSE Manager 2.1:susemanager-tools-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-user_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:tanukiwrapper-3.2.3-0.10.12.s390x", "SUSE Manager 2.1:yum-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:yum-common-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", ], }, ], threats: [ { category: "impact", date: "2015-02-25T20:05:05Z", details: "moderate", }, ], title: "CVE-2014-3654", }, { cve: "CVE-2014-7811", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2014-7811", }, ], notes: [ { category: "general", text: "Multiple cross-site scripting (XSS) vulnerabilities in Spacewalk and Red Hat Network (RHN) Satellite before 5.7.0 allow remote authenticated users to inject arbitrary web script or HTML via crafted XML data to the REST API.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Manager 2.1:apache2-mod_wsgi-3.3-5.7.17.s390x", "SUSE Manager 2.1:auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:cobbler-2.2.2-0.54.9.s390x", "SUSE Manager 2.1:google-gson-2.2.4-0.7.52.noarch", "SUSE Manager 2.1:libyaml-0-2-0.1.3-0.10.16.11.s390x", "SUSE Manager 2.1:oracle-config-1.1-0.10.10.16.noarch", "SUSE Manager 2.1:osa-dispatcher-5.11.33.7-0.7.16.noarch", "SUSE Manager 2.1:perl-Class-Singleton-1.4-4.13.38.noarch", "SUSE Manager 2.1:perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", "SUSE Manager 2.1:perl-Satcon-1.20.2-0.7.6.noarch", "SUSE Manager 2.1:perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1.s390x", "SUSE Manager 2.1:pxe-default-image-0.1-0.20.56.noarch", "SUSE Manager 2.1:python-enum34-1.0-0.7.33.s390x", "SUSE Manager 2.1:python-gzipstream-1.10.2.2-0.7.6.s390x", "SUSE Manager 2.1:rhn-custom-info-5.4.22.6-0.7.13.noarch", "SUSE Manager 2.1:rhnlib-2.5.69.6-0.7.6.s390x", "SUSE Manager 2.1:rhnmd-5.3.18.4-0.7.15.noarch", "SUSE Manager 2.1:rhnpush-5.5.71.7-0.7.16.noarch", "SUSE Manager 2.1:sm-ncc-sync-data-2.1.9-0.7.6.noarch", "SUSE Manager 2.1:smdba-1.5.1-0.7.6.s390x", "SUSE Manager 2.1:spacecmd-2.1.25.7-0.7.9.s390x", "SUSE Manager 2.1:spacewalk-admin-2.1.2.4-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-backend-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-app-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-base-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-branding-2.1.33.10-0.7.16.s390x", "SUSE Manager 2.1:spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-check-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-setup-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-tools-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-config-2.1.5.4-0.7.15.noarch", "SUSE Manager 2.1:spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", "SUSE Manager 2.1:spacewalk-grail-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-html-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-java-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-config-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-lib-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-pxt-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-reports-2.1.14.8-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-search-2.1.14.6-0.7.18.noarch", "SUSE Manager 2.1:spacewalk-setup-2.1.14.9-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-sniglets-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-utils-2.1.27.12-0.7.25.noarch", "SUSE Manager 2.1:spacewalksd-5.0.14.6-0.7.15.s390x", "SUSE Manager 2.1:struts-1.2.9-162.33.22.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", "SUSE Manager 2.1:suseRegisterInfo-2.1.9-0.7.29.s390x", "SUSE Manager 2.1:susemanager-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-client-config_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-install_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-jsp_en-2.1-0.15.23.noarch", "SUSE Manager 2.1:susemanager-manuals_en-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-reference_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-schema-2.1.50.11-0.7.8.noarch", "SUSE Manager 2.1:susemanager-sync-data-2.1.5-0.7.6.noarch", "SUSE Manager 2.1:susemanager-tools-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-user_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:tanukiwrapper-3.2.3-0.10.12.s390x", "SUSE Manager 2.1:yum-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:yum-common-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", ], }, references: [ { category: "external", summary: "CVE-2014-7811", url: "https://www.suse.com/security/cve/CVE-2014-7811", }, { category: "external", summary: "SUSE Bug 902915 for CVE-2014-7811", url: "https://bugzilla.suse.com/902915", }, { category: "external", summary: "SUSE Bug 912886 for CVE-2014-7811", url: "https://bugzilla.suse.com/912886", }, { category: "external", summary: "SUSE Bug 922740 for CVE-2014-7811", url: "https://bugzilla.suse.com/922740", }, { category: "external", summary: "SUSE Bug 969911 for CVE-2014-7811", url: "https://bugzilla.suse.com/969911", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Manager 2.1:apache2-mod_wsgi-3.3-5.7.17.s390x", "SUSE Manager 2.1:auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:cobbler-2.2.2-0.54.9.s390x", "SUSE Manager 2.1:google-gson-2.2.4-0.7.52.noarch", "SUSE Manager 2.1:libyaml-0-2-0.1.3-0.10.16.11.s390x", "SUSE Manager 2.1:oracle-config-1.1-0.10.10.16.noarch", "SUSE Manager 2.1:osa-dispatcher-5.11.33.7-0.7.16.noarch", "SUSE Manager 2.1:perl-Class-Singleton-1.4-4.13.38.noarch", "SUSE Manager 2.1:perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", "SUSE Manager 2.1:perl-Satcon-1.20.2-0.7.6.noarch", "SUSE Manager 2.1:perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1.s390x", "SUSE Manager 2.1:pxe-default-image-0.1-0.20.56.noarch", "SUSE Manager 2.1:python-enum34-1.0-0.7.33.s390x", "SUSE Manager 2.1:python-gzipstream-1.10.2.2-0.7.6.s390x", "SUSE Manager 2.1:rhn-custom-info-5.4.22.6-0.7.13.noarch", "SUSE Manager 2.1:rhnlib-2.5.69.6-0.7.6.s390x", "SUSE Manager 2.1:rhnmd-5.3.18.4-0.7.15.noarch", "SUSE Manager 2.1:rhnpush-5.5.71.7-0.7.16.noarch", "SUSE Manager 2.1:sm-ncc-sync-data-2.1.9-0.7.6.noarch", "SUSE Manager 2.1:smdba-1.5.1-0.7.6.s390x", "SUSE Manager 2.1:spacecmd-2.1.25.7-0.7.9.s390x", "SUSE Manager 2.1:spacewalk-admin-2.1.2.4-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-backend-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-app-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-base-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-branding-2.1.33.10-0.7.16.s390x", "SUSE Manager 2.1:spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-check-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-setup-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-tools-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-config-2.1.5.4-0.7.15.noarch", "SUSE Manager 2.1:spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", "SUSE Manager 2.1:spacewalk-grail-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-html-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-java-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-config-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-lib-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-pxt-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-reports-2.1.14.8-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-search-2.1.14.6-0.7.18.noarch", "SUSE Manager 2.1:spacewalk-setup-2.1.14.9-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-sniglets-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-utils-2.1.27.12-0.7.25.noarch", "SUSE Manager 2.1:spacewalksd-5.0.14.6-0.7.15.s390x", "SUSE Manager 2.1:struts-1.2.9-162.33.22.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", "SUSE Manager 2.1:suseRegisterInfo-2.1.9-0.7.29.s390x", "SUSE Manager 2.1:susemanager-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-client-config_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-install_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-jsp_en-2.1-0.15.23.noarch", "SUSE Manager 2.1:susemanager-manuals_en-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-reference_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-schema-2.1.50.11-0.7.8.noarch", "SUSE Manager 2.1:susemanager-sync-data-2.1.5-0.7.6.noarch", "SUSE Manager 2.1:susemanager-tools-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-user_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:tanukiwrapper-3.2.3-0.10.12.s390x", "SUSE Manager 2.1:yum-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:yum-common-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", ], }, ], threats: [ { category: "impact", date: "2015-02-25T20:05:05Z", details: "moderate", }, ], title: "CVE-2014-7811", }, { cve: "CVE-2014-7812", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2014-7812", }, ], notes: [ { category: "general", text: "Cross-site scripting (XSS) vulnerability in Spacewalk and Red Hat Network (RHN) Satellite before 5.7.0 allows remote authenticated users to inject arbitrary web script or HTML via the System Groups field.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Manager 2.1:apache2-mod_wsgi-3.3-5.7.17.s390x", "SUSE Manager 2.1:auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:cobbler-2.2.2-0.54.9.s390x", "SUSE Manager 2.1:google-gson-2.2.4-0.7.52.noarch", "SUSE Manager 2.1:libyaml-0-2-0.1.3-0.10.16.11.s390x", "SUSE Manager 2.1:oracle-config-1.1-0.10.10.16.noarch", "SUSE Manager 2.1:osa-dispatcher-5.11.33.7-0.7.16.noarch", "SUSE Manager 2.1:perl-Class-Singleton-1.4-4.13.38.noarch", "SUSE Manager 2.1:perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", "SUSE Manager 2.1:perl-Satcon-1.20.2-0.7.6.noarch", "SUSE Manager 2.1:perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1.s390x", "SUSE Manager 2.1:pxe-default-image-0.1-0.20.56.noarch", "SUSE Manager 2.1:python-enum34-1.0-0.7.33.s390x", "SUSE Manager 2.1:python-gzipstream-1.10.2.2-0.7.6.s390x", "SUSE Manager 2.1:rhn-custom-info-5.4.22.6-0.7.13.noarch", "SUSE Manager 2.1:rhnlib-2.5.69.6-0.7.6.s390x", "SUSE Manager 2.1:rhnmd-5.3.18.4-0.7.15.noarch", "SUSE Manager 2.1:rhnpush-5.5.71.7-0.7.16.noarch", "SUSE Manager 2.1:sm-ncc-sync-data-2.1.9-0.7.6.noarch", "SUSE Manager 2.1:smdba-1.5.1-0.7.6.s390x", "SUSE Manager 2.1:spacecmd-2.1.25.7-0.7.9.s390x", "SUSE Manager 2.1:spacewalk-admin-2.1.2.4-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-backend-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-app-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-base-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-branding-2.1.33.10-0.7.16.s390x", "SUSE Manager 2.1:spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-check-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-setup-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-tools-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-config-2.1.5.4-0.7.15.noarch", "SUSE Manager 2.1:spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", "SUSE Manager 2.1:spacewalk-grail-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-html-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-java-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-config-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-lib-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-pxt-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-reports-2.1.14.8-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-search-2.1.14.6-0.7.18.noarch", "SUSE Manager 2.1:spacewalk-setup-2.1.14.9-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-sniglets-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-utils-2.1.27.12-0.7.25.noarch", "SUSE Manager 2.1:spacewalksd-5.0.14.6-0.7.15.s390x", "SUSE Manager 2.1:struts-1.2.9-162.33.22.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", "SUSE Manager 2.1:suseRegisterInfo-2.1.9-0.7.29.s390x", "SUSE Manager 2.1:susemanager-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-client-config_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-install_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-jsp_en-2.1-0.15.23.noarch", "SUSE Manager 2.1:susemanager-manuals_en-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-reference_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-schema-2.1.50.11-0.7.8.noarch", "SUSE Manager 2.1:susemanager-sync-data-2.1.5-0.7.6.noarch", "SUSE Manager 2.1:susemanager-tools-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-user_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:tanukiwrapper-3.2.3-0.10.12.s390x", "SUSE Manager 2.1:yum-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:yum-common-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", ], }, references: [ { category: "external", summary: "CVE-2014-7812", url: "https://www.suse.com/security/cve/CVE-2014-7812", }, { category: "external", summary: "SUSE Bug 912886 for CVE-2014-7812", url: "https://bugzilla.suse.com/912886", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Manager 2.1:apache2-mod_wsgi-3.3-5.7.17.s390x", "SUSE Manager 2.1:auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:cobbler-2.2.2-0.54.9.s390x", "SUSE Manager 2.1:google-gson-2.2.4-0.7.52.noarch", "SUSE Manager 2.1:libyaml-0-2-0.1.3-0.10.16.11.s390x", "SUSE Manager 2.1:oracle-config-1.1-0.10.10.16.noarch", "SUSE Manager 2.1:osa-dispatcher-5.11.33.7-0.7.16.noarch", "SUSE Manager 2.1:perl-Class-Singleton-1.4-4.13.38.noarch", "SUSE Manager 2.1:perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", "SUSE Manager 2.1:perl-Satcon-1.20.2-0.7.6.noarch", "SUSE Manager 2.1:perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1.s390x", "SUSE Manager 2.1:pxe-default-image-0.1-0.20.56.noarch", "SUSE Manager 2.1:python-enum34-1.0-0.7.33.s390x", "SUSE Manager 2.1:python-gzipstream-1.10.2.2-0.7.6.s390x", "SUSE Manager 2.1:rhn-custom-info-5.4.22.6-0.7.13.noarch", "SUSE Manager 2.1:rhnlib-2.5.69.6-0.7.6.s390x", "SUSE Manager 2.1:rhnmd-5.3.18.4-0.7.15.noarch", "SUSE Manager 2.1:rhnpush-5.5.71.7-0.7.16.noarch", "SUSE Manager 2.1:sm-ncc-sync-data-2.1.9-0.7.6.noarch", "SUSE Manager 2.1:smdba-1.5.1-0.7.6.s390x", "SUSE Manager 2.1:spacecmd-2.1.25.7-0.7.9.s390x", "SUSE Manager 2.1:spacewalk-admin-2.1.2.4-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-backend-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-app-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-base-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-branding-2.1.33.10-0.7.16.s390x", "SUSE Manager 2.1:spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-check-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-setup-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-tools-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-config-2.1.5.4-0.7.15.noarch", "SUSE Manager 2.1:spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", "SUSE Manager 2.1:spacewalk-grail-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-html-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-java-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-config-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-lib-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-pxt-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-reports-2.1.14.8-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-search-2.1.14.6-0.7.18.noarch", "SUSE Manager 2.1:spacewalk-setup-2.1.14.9-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-sniglets-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-utils-2.1.27.12-0.7.25.noarch", "SUSE Manager 2.1:spacewalksd-5.0.14.6-0.7.15.s390x", "SUSE Manager 2.1:struts-1.2.9-162.33.22.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", "SUSE Manager 2.1:suseRegisterInfo-2.1.9-0.7.29.s390x", "SUSE Manager 2.1:susemanager-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-client-config_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-install_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-jsp_en-2.1-0.15.23.noarch", "SUSE Manager 2.1:susemanager-manuals_en-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-reference_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-schema-2.1.50.11-0.7.8.noarch", "SUSE Manager 2.1:susemanager-sync-data-2.1.5-0.7.6.noarch", "SUSE Manager 2.1:susemanager-tools-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-user_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:tanukiwrapper-3.2.3-0.10.12.s390x", "SUSE Manager 2.1:yum-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:yum-common-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", ], }, ], threats: [ { category: "impact", date: "2015-02-25T20:05:05Z", details: "low", }, ], title: "CVE-2014-7812", }, { cve: "CVE-2014-8583", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2014-8583", }, ], notes: [ { category: "general", text: "mod_wsgi before 4.2.4 for Apache, when creating a daemon process group, does not properly handle when group privileges cannot be dropped, which might allow attackers to gain privileges via unspecified vectors.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Manager 2.1:apache2-mod_wsgi-3.3-5.7.17.s390x", "SUSE Manager 2.1:auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:cobbler-2.2.2-0.54.9.s390x", "SUSE Manager 2.1:google-gson-2.2.4-0.7.52.noarch", "SUSE Manager 2.1:libyaml-0-2-0.1.3-0.10.16.11.s390x", "SUSE Manager 2.1:oracle-config-1.1-0.10.10.16.noarch", "SUSE Manager 2.1:osa-dispatcher-5.11.33.7-0.7.16.noarch", "SUSE Manager 2.1:perl-Class-Singleton-1.4-4.13.38.noarch", "SUSE Manager 2.1:perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", "SUSE Manager 2.1:perl-Satcon-1.20.2-0.7.6.noarch", "SUSE Manager 2.1:perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1.s390x", "SUSE Manager 2.1:pxe-default-image-0.1-0.20.56.noarch", "SUSE Manager 2.1:python-enum34-1.0-0.7.33.s390x", "SUSE Manager 2.1:python-gzipstream-1.10.2.2-0.7.6.s390x", "SUSE Manager 2.1:rhn-custom-info-5.4.22.6-0.7.13.noarch", "SUSE Manager 2.1:rhnlib-2.5.69.6-0.7.6.s390x", "SUSE Manager 2.1:rhnmd-5.3.18.4-0.7.15.noarch", "SUSE Manager 2.1:rhnpush-5.5.71.7-0.7.16.noarch", "SUSE Manager 2.1:sm-ncc-sync-data-2.1.9-0.7.6.noarch", "SUSE Manager 2.1:smdba-1.5.1-0.7.6.s390x", "SUSE Manager 2.1:spacecmd-2.1.25.7-0.7.9.s390x", "SUSE Manager 2.1:spacewalk-admin-2.1.2.4-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-backend-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-app-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-base-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-branding-2.1.33.10-0.7.16.s390x", "SUSE Manager 2.1:spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-check-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-setup-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-tools-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-config-2.1.5.4-0.7.15.noarch", "SUSE Manager 2.1:spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", "SUSE Manager 2.1:spacewalk-grail-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-html-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-java-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-config-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-lib-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-pxt-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-reports-2.1.14.8-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-search-2.1.14.6-0.7.18.noarch", "SUSE Manager 2.1:spacewalk-setup-2.1.14.9-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-sniglets-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-utils-2.1.27.12-0.7.25.noarch", "SUSE Manager 2.1:spacewalksd-5.0.14.6-0.7.15.s390x", "SUSE Manager 2.1:struts-1.2.9-162.33.22.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", "SUSE Manager 2.1:suseRegisterInfo-2.1.9-0.7.29.s390x", "SUSE Manager 2.1:susemanager-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-client-config_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-install_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-jsp_en-2.1-0.15.23.noarch", "SUSE Manager 2.1:susemanager-manuals_en-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-reference_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-schema-2.1.50.11-0.7.8.noarch", "SUSE Manager 2.1:susemanager-sync-data-2.1.5-0.7.6.noarch", "SUSE Manager 2.1:susemanager-tools-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-user_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:tanukiwrapper-3.2.3-0.10.12.s390x", "SUSE Manager 2.1:yum-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:yum-common-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", ], }, references: [ { category: "external", summary: "CVE-2014-8583", url: "https://www.suse.com/security/cve/CVE-2014-8583", }, { category: "external", summary: "SUSE Bug 903961 for CVE-2014-8583", url: "https://bugzilla.suse.com/903961", }, { category: "external", summary: "SUSE Bug 907649 for CVE-2014-8583", url: "https://bugzilla.suse.com/907649", }, { category: "external", summary: "SUSE Bug 983032 for CVE-2014-8583", url: "https://bugzilla.suse.com/983032", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Manager 2.1:apache2-mod_wsgi-3.3-5.7.17.s390x", "SUSE Manager 2.1:auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:cobbler-2.2.2-0.54.9.s390x", "SUSE Manager 2.1:google-gson-2.2.4-0.7.52.noarch", "SUSE Manager 2.1:libyaml-0-2-0.1.3-0.10.16.11.s390x", "SUSE Manager 2.1:oracle-config-1.1-0.10.10.16.noarch", "SUSE Manager 2.1:osa-dispatcher-5.11.33.7-0.7.16.noarch", "SUSE Manager 2.1:perl-Class-Singleton-1.4-4.13.38.noarch", "SUSE Manager 2.1:perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", "SUSE Manager 2.1:perl-Satcon-1.20.2-0.7.6.noarch", "SUSE Manager 2.1:perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1.s390x", "SUSE Manager 2.1:pxe-default-image-0.1-0.20.56.noarch", "SUSE Manager 2.1:python-enum34-1.0-0.7.33.s390x", "SUSE Manager 2.1:python-gzipstream-1.10.2.2-0.7.6.s390x", "SUSE Manager 2.1:rhn-custom-info-5.4.22.6-0.7.13.noarch", "SUSE Manager 2.1:rhnlib-2.5.69.6-0.7.6.s390x", "SUSE Manager 2.1:rhnmd-5.3.18.4-0.7.15.noarch", "SUSE Manager 2.1:rhnpush-5.5.71.7-0.7.16.noarch", "SUSE Manager 2.1:sm-ncc-sync-data-2.1.9-0.7.6.noarch", "SUSE Manager 2.1:smdba-1.5.1-0.7.6.s390x", "SUSE Manager 2.1:spacecmd-2.1.25.7-0.7.9.s390x", "SUSE Manager 2.1:spacewalk-admin-2.1.2.4-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-backend-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-app-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-base-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-branding-2.1.33.10-0.7.16.s390x", "SUSE Manager 2.1:spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-check-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-setup-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-tools-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-config-2.1.5.4-0.7.15.noarch", "SUSE Manager 2.1:spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", "SUSE Manager 2.1:spacewalk-grail-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-html-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-java-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-config-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-lib-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-pxt-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-reports-2.1.14.8-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-search-2.1.14.6-0.7.18.noarch", "SUSE Manager 2.1:spacewalk-setup-2.1.14.9-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-sniglets-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-utils-2.1.27.12-0.7.25.noarch", "SUSE Manager 2.1:spacewalksd-5.0.14.6-0.7.15.s390x", "SUSE Manager 2.1:struts-1.2.9-162.33.22.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", "SUSE Manager 2.1:suseRegisterInfo-2.1.9-0.7.29.s390x", "SUSE Manager 2.1:susemanager-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-client-config_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-install_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-jsp_en-2.1-0.15.23.noarch", "SUSE Manager 2.1:susemanager-manuals_en-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-reference_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-schema-2.1.50.11-0.7.8.noarch", "SUSE Manager 2.1:susemanager-sync-data-2.1.5-0.7.6.noarch", "SUSE Manager 2.1:susemanager-tools-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-user_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:tanukiwrapper-3.2.3-0.10.12.s390x", "SUSE Manager 2.1:yum-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:yum-common-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", ], }, ], threats: [ { category: "impact", date: "2015-02-25T20:05:05Z", details: "moderate", }, ], title: "CVE-2014-8583", }, { cve: "CVE-2014-9130", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2014-9130", }, ], notes: [ { category: "general", text: "scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Manager 2.1:apache2-mod_wsgi-3.3-5.7.17.s390x", "SUSE Manager 2.1:auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:cobbler-2.2.2-0.54.9.s390x", "SUSE Manager 2.1:google-gson-2.2.4-0.7.52.noarch", "SUSE Manager 2.1:libyaml-0-2-0.1.3-0.10.16.11.s390x", "SUSE Manager 2.1:oracle-config-1.1-0.10.10.16.noarch", "SUSE Manager 2.1:osa-dispatcher-5.11.33.7-0.7.16.noarch", "SUSE Manager 2.1:perl-Class-Singleton-1.4-4.13.38.noarch", "SUSE Manager 2.1:perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", "SUSE Manager 2.1:perl-Satcon-1.20.2-0.7.6.noarch", "SUSE Manager 2.1:perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1.s390x", "SUSE Manager 2.1:pxe-default-image-0.1-0.20.56.noarch", "SUSE Manager 2.1:python-enum34-1.0-0.7.33.s390x", "SUSE Manager 2.1:python-gzipstream-1.10.2.2-0.7.6.s390x", "SUSE Manager 2.1:rhn-custom-info-5.4.22.6-0.7.13.noarch", "SUSE Manager 2.1:rhnlib-2.5.69.6-0.7.6.s390x", "SUSE Manager 2.1:rhnmd-5.3.18.4-0.7.15.noarch", "SUSE Manager 2.1:rhnpush-5.5.71.7-0.7.16.noarch", "SUSE Manager 2.1:sm-ncc-sync-data-2.1.9-0.7.6.noarch", "SUSE Manager 2.1:smdba-1.5.1-0.7.6.s390x", "SUSE Manager 2.1:spacecmd-2.1.25.7-0.7.9.s390x", "SUSE Manager 2.1:spacewalk-admin-2.1.2.4-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-backend-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-app-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-base-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-branding-2.1.33.10-0.7.16.s390x", "SUSE Manager 2.1:spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-check-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-setup-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-tools-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-config-2.1.5.4-0.7.15.noarch", "SUSE Manager 2.1:spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", "SUSE Manager 2.1:spacewalk-grail-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-html-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-java-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-config-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-lib-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-pxt-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-reports-2.1.14.8-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-search-2.1.14.6-0.7.18.noarch", "SUSE Manager 2.1:spacewalk-setup-2.1.14.9-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-sniglets-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-utils-2.1.27.12-0.7.25.noarch", "SUSE Manager 2.1:spacewalksd-5.0.14.6-0.7.15.s390x", "SUSE Manager 2.1:struts-1.2.9-162.33.22.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", "SUSE Manager 2.1:suseRegisterInfo-2.1.9-0.7.29.s390x", "SUSE Manager 2.1:susemanager-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-client-config_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-install_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-jsp_en-2.1-0.15.23.noarch", "SUSE Manager 2.1:susemanager-manuals_en-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-reference_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-schema-2.1.50.11-0.7.8.noarch", "SUSE Manager 2.1:susemanager-sync-data-2.1.5-0.7.6.noarch", "SUSE Manager 2.1:susemanager-tools-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-user_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:tanukiwrapper-3.2.3-0.10.12.s390x", "SUSE Manager 2.1:yum-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:yum-common-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", ], }, references: [ { category: "external", summary: "CVE-2014-9130", url: "https://www.suse.com/security/cve/CVE-2014-9130", }, { category: "external", summary: "SUSE Bug 907809 for CVE-2014-9130", url: "https://bugzilla.suse.com/907809", }, { category: "external", summary: "SUSE Bug 911782 for CVE-2014-9130", url: "https://bugzilla.suse.com/911782", }, { category: "external", summary: "SUSE Bug 921588 for CVE-2014-9130", url: "https://bugzilla.suse.com/921588", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Manager 2.1:apache2-mod_wsgi-3.3-5.7.17.s390x", "SUSE Manager 2.1:auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-rdbms-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-spacewalk-validator-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-syslog-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:auditlog-keeper-xmlout-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:cobbler-2.2.2-0.54.9.s390x", "SUSE Manager 2.1:google-gson-2.2.4-0.7.52.noarch", "SUSE Manager 2.1:libyaml-0-2-0.1.3-0.10.16.11.s390x", "SUSE Manager 2.1:oracle-config-1.1-0.10.10.16.noarch", "SUSE Manager 2.1:osa-dispatcher-5.11.33.7-0.7.16.noarch", "SUSE Manager 2.1:perl-Class-Singleton-1.4-4.13.38.noarch", "SUSE Manager 2.1:perl-NOCpulse-Object-1.26.13.2-0.7.13.noarch", "SUSE Manager 2.1:perl-Satcon-1.20.2-0.7.6.noarch", "SUSE Manager 2.1:perl-auditlog-keeper-client-0.2.3+git.1417708457.eabd1a9-0.7.58.noarch", "SUSE Manager 2.1:postgresql91-pltcl-9.1.15-0.3.1.s390x", "SUSE Manager 2.1:pxe-default-image-0.1-0.20.56.noarch", "SUSE Manager 2.1:python-enum34-1.0-0.7.33.s390x", "SUSE Manager 2.1:python-gzipstream-1.10.2.2-0.7.6.s390x", "SUSE Manager 2.1:rhn-custom-info-5.4.22.6-0.7.13.noarch", "SUSE Manager 2.1:rhnlib-2.5.69.6-0.7.6.s390x", "SUSE Manager 2.1:rhnmd-5.3.18.4-0.7.15.noarch", "SUSE Manager 2.1:rhnpush-5.5.71.7-0.7.16.noarch", "SUSE Manager 2.1:sm-ncc-sync-data-2.1.9-0.7.6.noarch", "SUSE Manager 2.1:smdba-1.5.1-0.7.6.s390x", "SUSE Manager 2.1:spacecmd-2.1.25.7-0.7.9.s390x", "SUSE Manager 2.1:spacewalk-admin-2.1.2.4-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-backend-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-app-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-applet-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-common-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-config-files-tool-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-iss-export-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-package-push-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-server-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-oracle-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-sql-postgresql-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-tools-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xml-export-libs-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-backend-xmlrpc-2.1.55.15-0.7.11.s390x", "SUSE Manager 2.1:spacewalk-base-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-base-minimal-config-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-branding-2.1.33.10-0.7.16.s390x", "SUSE Manager 2.1:spacewalk-certs-tools-2.1.6.5-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-check-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-setup-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-client-tools-2.1.16.6-0.7.9.noarch", "SUSE Manager 2.1:spacewalk-config-2.1.5.4-0.7.15.noarch", "SUSE Manager 2.1:spacewalk-doc-indexes-2.1.2.3-0.7.26.noarch", "SUSE Manager 2.1:spacewalk-grail-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-html-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-java-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-config-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-lib-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-oracle-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-java-postgresql-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-pxt-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-reports-2.1.14.8-0.7.10.noarch", "SUSE Manager 2.1:spacewalk-search-2.1.14.6-0.7.18.noarch", "SUSE Manager 2.1:spacewalk-setup-2.1.14.9-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-setup-jabberd-2.1.0.2-0.7.6.noarch", "SUSE Manager 2.1:spacewalk-sniglets-2.1.60.12-0.7.7.noarch", "SUSE Manager 2.1:spacewalk-taskomatic-2.1.165.14-0.7.16.noarch", "SUSE Manager 2.1:spacewalk-utils-2.1.27.12-0.7.25.noarch", "SUSE Manager 2.1:spacewalksd-5.0.14.6-0.7.15.s390x", "SUSE Manager 2.1:struts-1.2.9-162.33.22.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-1.0.3-0.5.5.noarch", "SUSE Manager 2.1:supportutils-plugin-susemanager-client-1.0.4-0.5.5.noarch", "SUSE Manager 2.1:suseRegisterInfo-2.1.9-0.7.29.s390x", "SUSE Manager 2.1:susemanager-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-client-config_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-install_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-jsp_en-2.1-0.15.23.noarch", "SUSE Manager 2.1:susemanager-manuals_en-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-proxy-quick_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-reference_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:susemanager-schema-2.1.50.11-0.7.8.noarch", "SUSE Manager 2.1:susemanager-sync-data-2.1.5-0.7.6.noarch", "SUSE Manager 2.1:susemanager-tools-2.1.17-0.7.11.s390x", "SUSE Manager 2.1:susemanager-user_en-pdf-2.1-0.15.24.noarch", "SUSE Manager 2.1:tanukiwrapper-3.2.3-0.10.12.s390x", "SUSE Manager 2.1:yum-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:yum-common-3.2.29-0.19.30.s390x", "SUSE Manager 2.1:zypp-plugin-spacewalk-0.9.8-0.15.51.s390x", ], }, ], threats: [ { category: "impact", date: "2015-02-25T20:05:05Z", details: "moderate", }, ], title: "CVE-2014-9130", }, ], }
suse-su-2015:0886-1
Vulnerability from csaf_suse
Published
2014-06-20 20:43
Modified
2014-06-20 20:43
Summary
Security update for struts
Notes
Title of the patch
Security update for struts
Description of the patch
Apache Struts was updated to fix a security issue:
* CVE-2014-0114: The ActionForm object in Apache Struts 1.x through
1.3.10 allows remote attackers to 'manipulate' the ClassLoader and
execute arbitrary code via the class parameter, which is passed to
the getClass method.
Security Issue reference:
* CVE-2014-0114
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114>
Patchnames
sdksp3-struts,sleman17sp2-struts,sleman21-struts
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for struts", title: "Title of the patch", }, { category: "description", text: "\nApache Struts was updated to fix a security issue:\n\n * CVE-2014-0114: The ActionForm object in Apache Struts 1.x through\n 1.3.10 allows remote attackers to 'manipulate' the ClassLoader and\n execute arbitrary code via the class parameter, which is passed to\n the getClass method.\n\nSecurity Issue reference:\n\n * CVE-2014-0114\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114>\n\n", title: "Description of the patch", }, { category: "details", text: "sdksp3-struts,sleman17sp2-struts,sleman21-struts", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2015_0886-1.json", }, { category: "self", summary: "URL for SUSE-SU-2015:0886-1", url: "https://www.suse.com/support/update/announcement/2015/suse-su-20150886-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2015:0886-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2015-May/001388.html", }, { category: "self", summary: "SUSE Bug 875455", url: "https://bugzilla.suse.com/875455", }, { category: "self", summary: "SUSE Bug 924887", url: "https://bugzilla.suse.com/924887", }, { category: "self", summary: "SUSE CVE CVE-2014-0114 page", url: "https://www.suse.com/security/cve/CVE-2014-0114/", }, { category: "self", summary: "SUSE CVE CVE-2015-0899 page", url: "https://www.suse.com/security/cve/CVE-2015-0899/", }, ], title: "Security update for struts", tracking: { current_release_date: "2014-06-20T20:43:07Z", generator: { date: "2014-06-20T20:43:07Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2015:0886-1", initial_release_date: "2014-06-20T20:43:07Z", revision_history: [ { date: "2014-06-20T20:43:07Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "struts-1.2.9-162.33.1.noarch", product: { name: "struts-1.2.9-162.33.1.noarch", product_id: "struts-1.2.9-162.33.1.noarch", }, }, { category: "product_version", name: "struts-javadoc-1.2.9-162.33.1.noarch", product: { name: "struts-javadoc-1.2.9-162.33.1.noarch", product_id: "struts-javadoc-1.2.9-162.33.1.noarch", }, }, { category: "product_version", name: "struts-manual-1.2.9-162.33.1.noarch", product: { name: "struts-manual-1.2.9-162.33.1.noarch", product_id: "struts-manual-1.2.9-162.33.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "SUSE Linux Enterprise Software Development Kit 11 SP3", product: { name: "SUSE Linux Enterprise Software Development Kit 11 SP3", product_id: "SUSE Linux Enterprise Software Development Kit 11 SP3", product_identification_helper: { cpe: "cpe:/a:suse:sle-sdk:11:sp3", }, }, }, { category: "product_name", name: "SUSE Manager 1.7", product: { name: "SUSE Manager 1.7", product_id: "SUSE Manager 1.7", product_identification_helper: { cpe: "cpe:/o:suse:suse-manager-server:1.7", }, }, }, { category: "product_name", name: "SUSE Manager 2.1", product: { name: "SUSE Manager 2.1", product_id: "SUSE Manager 2.1", product_identification_helper: { cpe: "cpe:/o:suse:suse-manager-server:2.1", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "struts-1.2.9-162.33.1.noarch as component of SUSE Linux Enterprise Software Development Kit 11 SP3", product_id: "SUSE Linux Enterprise Software Development Kit 11 SP3:struts-1.2.9-162.33.1.noarch", }, product_reference: "struts-1.2.9-162.33.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Software Development Kit 11 SP3", }, { category: "default_component_of", full_product_name: { name: "struts-javadoc-1.2.9-162.33.1.noarch as component of SUSE Linux Enterprise Software Development Kit 11 SP3", product_id: "SUSE Linux Enterprise Software Development Kit 11 SP3:struts-javadoc-1.2.9-162.33.1.noarch", }, product_reference: "struts-javadoc-1.2.9-162.33.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Software Development Kit 11 SP3", }, { category: "default_component_of", full_product_name: { name: "struts-manual-1.2.9-162.33.1.noarch as component of SUSE Linux Enterprise Software Development Kit 11 SP3", product_id: "SUSE Linux Enterprise Software Development Kit 11 SP3:struts-manual-1.2.9-162.33.1.noarch", }, product_reference: "struts-manual-1.2.9-162.33.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Software Development Kit 11 SP3", }, { category: "default_component_of", full_product_name: { name: "struts-1.2.9-162.33.1.noarch as component of SUSE Manager 1.7", product_id: "SUSE Manager 1.7:struts-1.2.9-162.33.1.noarch", }, product_reference: "struts-1.2.9-162.33.1.noarch", relates_to_product_reference: "SUSE Manager 1.7", }, { category: "default_component_of", full_product_name: { name: "struts-1.2.9-162.33.1.noarch as component of SUSE Manager 2.1", product_id: "SUSE Manager 2.1:struts-1.2.9-162.33.1.noarch", }, product_reference: "struts-1.2.9-162.33.1.noarch", relates_to_product_reference: "SUSE Manager 2.1", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2014-0114", }, ], notes: [ { category: "general", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Software Development Kit 11 SP3:struts-1.2.9-162.33.1.noarch", "SUSE Linux Enterprise Software Development Kit 11 SP3:struts-javadoc-1.2.9-162.33.1.noarch", "SUSE Linux Enterprise Software Development Kit 11 SP3:struts-manual-1.2.9-162.33.1.noarch", "SUSE Manager 1.7:struts-1.2.9-162.33.1.noarch", "SUSE Manager 2.1:struts-1.2.9-162.33.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2014-0114", url: "https://www.suse.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "SUSE Bug 778464 for CVE-2014-0114", url: "https://bugzilla.suse.com/778464", }, { category: "external", summary: "SUSE Bug 875455 for CVE-2014-0114", url: "https://bugzilla.suse.com/875455", }, { category: "external", summary: "SUSE Bug 885963 for CVE-2014-0114", url: "https://bugzilla.suse.com/885963", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Software Development Kit 11 SP3:struts-1.2.9-162.33.1.noarch", "SUSE Linux Enterprise Software Development Kit 11 SP3:struts-javadoc-1.2.9-162.33.1.noarch", "SUSE Linux Enterprise Software Development Kit 11 SP3:struts-manual-1.2.9-162.33.1.noarch", "SUSE Manager 1.7:struts-1.2.9-162.33.1.noarch", "SUSE Manager 2.1:struts-1.2.9-162.33.1.noarch", ], }, ], threats: [ { category: "impact", date: "2014-06-20T20:43:07Z", details: "important", }, ], title: "CVE-2014-0114", }, { cve: "CVE-2015-0899", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2015-0899", }, ], notes: [ { category: "general", text: "The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Software Development Kit 11 SP3:struts-1.2.9-162.33.1.noarch", "SUSE Linux Enterprise Software Development Kit 11 SP3:struts-javadoc-1.2.9-162.33.1.noarch", "SUSE Linux Enterprise Software Development Kit 11 SP3:struts-manual-1.2.9-162.33.1.noarch", "SUSE Manager 1.7:struts-1.2.9-162.33.1.noarch", "SUSE Manager 2.1:struts-1.2.9-162.33.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2015-0899", url: "https://www.suse.com/security/cve/CVE-2015-0899", }, { category: "external", summary: "SUSE Bug 924887 for CVE-2015-0899", url: "https://bugzilla.suse.com/924887", }, { category: "external", summary: "SUSE Bug 983684 for CVE-2015-0899", url: "https://bugzilla.suse.com/983684", }, { category: "external", summary: "SUSE Bug 983728 for CVE-2015-0899", url: "https://bugzilla.suse.com/983728", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Software Development Kit 11 SP3:struts-1.2.9-162.33.1.noarch", "SUSE Linux Enterprise Software Development Kit 11 SP3:struts-javadoc-1.2.9-162.33.1.noarch", "SUSE Linux Enterprise Software Development Kit 11 SP3:struts-manual-1.2.9-162.33.1.noarch", "SUSE Manager 1.7:struts-1.2.9-162.33.1.noarch", "SUSE Manager 2.1:struts-1.2.9-162.33.1.noarch", ], }, ], threats: [ { category: "impact", date: "2014-06-20T20:43:07Z", details: "moderate", }, ], title: "CVE-2015-0899", }, ], }
fkie_cve-2014-0114
Vulnerability from fkie_nvd
Published
2014-04-30 10:49
Modified
2024-11-21 02:01
Severity ?
Summary
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | commons_beanutils | * | |
| apache | struts | 1.0 | |
| apache | struts | 1.0.2 | |
| apache | struts | 1.1 | |
| apache | struts | 1.1 | |
| apache | struts | 1.1 | |
| apache | struts | 1.1 | |
| apache | struts | 1.1 | |
| apache | struts | 1.1 | |
| apache | struts | 1.2.2 | |
| apache | struts | 1.2.4 | |
| apache | struts | 1.2.6 | |
| apache | struts | 1.2.7 | |
| apache | struts | 1.2.8 | |
| apache | struts | 1.2.9 | |
| apache | struts | 1.3.5 | |
| apache | struts | 1.3.8 | |
| apache | struts | 1.3.10 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:*", matchCriteriaId: "02FF6542-F5F7-465D-9755-E4EFC8953453", versionEndIncluding: "1.9.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*", matchCriteriaId: "A5051228-446E-461D-9B5F-8F765C7BA57F", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*", matchCriteriaId: "EE1B8A83-43A4-4C4F-BB95-4D9CAD882D1C", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*", matchCriteriaId: "A55DDFE1-A8AB-47BB-903E-957FCF3D023D", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*", matchCriteriaId: "93FA9AE3-B453-4FE6-82A9-7DDEF3F6C464", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*", matchCriteriaId: "A3BB6FBE-469B-4920-A30B-33AD9E41ACCD", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*", matchCriteriaId: "34FC82D3-CCAF-4F37-B531-2A9CA17311A9", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "E0B8B413-8C62-44B6-A382-26F35F4573D4", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "6309C679-890A-4214-8857-9F119CBBAA00", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*", matchCriteriaId: "CD882860-03D0-49E9-8CED-DE6663392548", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*", matchCriteriaId: "EDDD509E-9EBF-483F-9546-A1A3A1A3380E", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*", matchCriteriaId: "B2ECF5E1-457F-4E76-81F7-65114DC4E1E4", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*", matchCriteriaId: "2FC81E1A-2779-4FAF-866C-970752CD1828", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*", matchCriteriaId: "CBD69FAE-C1A3-4213-824A-7DCCE357EB01", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*", matchCriteriaId: "9C34FDB0-2778-4C36-8345-F7E27509A383", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*", matchCriteriaId: "CF0302D3-CB8D-4FA7-8F07-C2C7593877BE", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*", matchCriteriaId: "03906D34-F3B3-4C56-A6A6-2F7A10168501", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*", matchCriteriaId: "1B3872B7-2972-433D-96A1-154FA545B311", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", }, { lang: "es", value: "Apache Commons BeanUtils, según se distribuye en lib/commons-beanutils-1.8.0.jar en Apache Struts 1.x hasta la versión 1.3.10 y en otros productos que requieren commons-beanutils hasta la versión 1.9.2, no suprime la propiedad class, lo que permite a atacantes remotos \"manipular\" el ClassLoader y ejecutar código arbitrario a través del parámetro class, según lo demostrado por el paso de este parámetro al método getClass del objeto ActionForm en Struts 1.", }, ], id: "CVE-2014-0114", lastModified: "2024-11-21T02:01:23.960", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2014-04-30T10:49:03.973", references: [ { source: "secalert@redhat.com", url: "http://advisories.mageia.org/MGASA-2014-0219.html", }, { source: "secalert@redhat.com", url: "http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html", }, { source: "secalert@redhat.com", url: "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt", }, { source: "secalert@redhat.com", url: "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html", }, { source: "secalert@redhat.com", url: "http://marc.info/?l=bugtraq&m=140119284401582&w=2", }, { source: "secalert@redhat.com", url: "http://marc.info/?l=bugtraq&m=140801096002766&w=2", }, { source: "secalert@redhat.com", url: "http://marc.info/?l=bugtraq&m=141451023707502&w=2", }, { source: "secalert@redhat.com", url: "http://openwall.com/lists/oss-security/2014/06/15/10", }, { source: "secalert@redhat.com", url: "http://openwall.com/lists/oss-security/2014/07/08/1", }, { source: "secalert@redhat.com", url: "http://seclists.org/fulldisclosure/2014/Dec/23", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/57477", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/58710", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/58851", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/58947", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/59014", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/59118", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/59228", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/59245", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/59246", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/59430", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/59464", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/59479", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/59480", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/59704", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/59718", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/60177", }, { source: "secalert@redhat.com", url: "http://secunia.com/advisories/60703", }, { source: "secalert@redhat.com", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21674128", }, { source: "secalert@redhat.com", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21674812", }, { source: "secalert@redhat.com", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675266", }, { source: "secalert@redhat.com", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675387", }, { source: "secalert@redhat.com", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675689", }, { source: "secalert@redhat.com", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675898", }, { source: "secalert@redhat.com", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675972", }, { source: "secalert@redhat.com", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", }, { source: "secalert@redhat.com", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676110", }, { source: "secalert@redhat.com", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676303", }, { source: "secalert@redhat.com", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676375", }, { source: "secalert@redhat.com", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676931", }, { source: "secalert@redhat.com", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21677110", }, { source: "secalert@redhat.com", url: "http://www-01.ibm.com/support/docview.wss?uid=swg27042296", }, { source: "secalert@redhat.com", url: "http://www.debian.org/security/2014/dsa-2940", }, { source: "secalert@redhat.com", url: "http://www.ibm.com/support/docview.wss?uid=swg21675496", }, { source: "secalert@redhat.com", url: "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095", }, { source: "secalert@redhat.com", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { source: "secalert@redhat.com", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { source: "secalert@redhat.com", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { source: "secalert@redhat.com", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { source: "secalert@redhat.com", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { source: "secalert@redhat.com", url: "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", }, { source: "secalert@redhat.com", url: "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", }, { source: "secalert@redhat.com", url: "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", }, { source: "secalert@redhat.com", url: "http://www.securityfocus.com/archive/1/534161/100/0/threaded", }, { source: "secalert@redhat.com", url: "http://www.securityfocus.com/bid/67121", }, { source: "secalert@redhat.com", url: "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", }, { source: "secalert@redhat.com", url: "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2018:2669", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2019:2995", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/solutions/869353", }, { source: "secalert@redhat.com", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { source: "secalert@redhat.com", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1116665", }, { source: "secalert@redhat.com", url: "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", }, { source: "secalert@redhat.com", url: "https://issues.apache.org/jira/browse/BEANUTILS-463", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://security.gentoo.org/glsa/201607-09", }, { source: "secalert@redhat.com", url: "https://security.netapp.com/advisory/ntap-20140911-0001/", }, { source: "secalert@redhat.com", url: "https://security.netapp.com/advisory/ntap-20180629-0006/", }, { source: "secalert@redhat.com", url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { source: "secalert@redhat.com", url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { source: "secalert@redhat.com", url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://advisories.mageia.org/MGASA-2014-0219.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://marc.info/?l=bugtraq&m=140119284401582&w=2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://marc.info/?l=bugtraq&m=140801096002766&w=2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://marc.info/?l=bugtraq&m=141451023707502&w=2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://openwall.com/lists/oss-security/2014/06/15/10", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://openwall.com/lists/oss-security/2014/07/08/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://seclists.org/fulldisclosure/2014/Dec/23", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/57477", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/58710", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/58851", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/58947", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/59014", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/59118", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/59228", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/59245", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/59246", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/59430", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/59464", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/59479", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/59480", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/59704", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/59718", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/60177", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/60703", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21674128", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21674812", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675266", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675387", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675689", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675898", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675972", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676110", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676303", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676375", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676931", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21677110", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www-01.ibm.com/support/docview.wss?uid=swg27042296", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.debian.org/security/2014/dsa-2940", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.ibm.com/support/docview.wss?uid=swg21675496", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/archive/1/534161/100/0/threaded", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/67121", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2018:2669", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2019:2995", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/solutions/869353", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1116665", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://issues.apache.org/jira/browse/BEANUTILS-463", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.gentoo.org/glsa/201607-09", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.netapp.com/advisory/ntap-20140911-0001/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.netapp.com/advisory/ntap-20180629-0006/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
cve-2014-0114
Vulnerability from jvndb
Published
2014-06-17 15:01
Modified
2015-01-22 15:50
Summary
TERASOLUNA Server Framework for Java(Web) vulnerable to ClassLoader manipulation
Details
TERASOLUNA Server Framework for Java(Web) provided by NTT DATA Corporation is a software framework for creating Java web applications. TERASOLUNA Server Framework for Java(Web) bundles Apache Struts 1.2.9, which contains a vulnerability where the ClassLoader may be manipulated (CVE-2014-0114). Therefore, this vulnerability affects TERASOLUNA Server Framework for Java(Web) as well.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| NTT DATA | TERASOLUNA Server Framework for Java(Web) |
{ "@rdf:about": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000056.html", "dc:date": "2015-01-22T15:50+09:00", "dcterms:issued": "2014-06-17T15:01+09:00", "dcterms:modified": "2015-01-22T15:50+09:00", description: "TERASOLUNA Server Framework for Java(Web) provided by NTT DATA Corporation is a software framework for creating Java web applications. TERASOLUNA Server Framework for Java(Web) bundles Apache Struts 1.2.9, which contains a vulnerability where the ClassLoader may be manipulated (CVE-2014-0114). Therefore, this vulnerability affects TERASOLUNA Server Framework for Java(Web) as well.", link: "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000056.html", "sec:cpe": { "#text": "cpe:/a:nttdata:terasoluna_server_framework_for_java_web", "@product": "TERASOLUNA Server Framework for Java(Web)", "@vendor": "NTT DATA", "@version": "2.2", }, "sec:cvss": { "@score": "7.5", "@severity": "High", "@type": "Base", "@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "@version": "2.0", }, "sec:identifier": "JVNDB-2014-000056", "sec:references": [ { "#text": "http://jvn.jp/en/jp/JVN30962312/index.html", "@id": "JVN#30962312", "@source": "JVN", }, { "#text": "http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-002308.html", "@id": "JVNDB-2014-002308", "@source": "JVN iPedia", }, { "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114", "@id": "CVE-2014-0114", "@source": "CVE", }, { "#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114", "@id": "CVE-2014-0114", "@source": "NVD", }, { "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html", "@id": "CWE-DesignError", "@title": "No Mapping(CWE-DesignError)", }, ], title: "TERASOLUNA Server Framework for Java(Web) vulnerable to ClassLoader manipulation", }
opensuse-su-2024:10617-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
apache-commons-beanutils-1.9.4-3.7 on GA media
Notes
Title of the patch
apache-commons-beanutils-1.9.4-3.7 on GA media
Description of the patch
These are all security issues fixed in the apache-commons-beanutils-1.9.4-3.7 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-10617
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "apache-commons-beanutils-1.9.4-3.7 on GA media", title: "Title of the patch", }, { category: "description", text: "These are all security issues fixed in the apache-commons-beanutils-1.9.4-3.7 package on the GA media of openSUSE Tumbleweed.", title: "Description of the patch", }, { category: "details", text: "openSUSE-Tumbleweed-2024-10617", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_10617-1.json", }, { category: "self", summary: "SUSE CVE CVE-2014-0114 page", url: "https://www.suse.com/security/cve/CVE-2014-0114/", }, { category: "self", summary: "SUSE CVE CVE-2015-4852 page", url: "https://www.suse.com/security/cve/CVE-2015-4852/", }, { category: "self", summary: "SUSE CVE CVE-2019-10086 page", url: "https://www.suse.com/security/cve/CVE-2019-10086/", }, ], title: "apache-commons-beanutils-1.9.4-3.7 on GA media", tracking: { current_release_date: "2024-06-15T00:00:00Z", generator: { date: "2024-06-15T00:00:00Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2024:10617-1", initial_release_date: "2024-06-15T00:00:00Z", revision_history: [ { date: "2024-06-15T00:00:00Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "apache-commons-beanutils-1.9.4-3.7.aarch64", product: { name: "apache-commons-beanutils-1.9.4-3.7.aarch64", product_id: "apache-commons-beanutils-1.9.4-3.7.aarch64", }, }, { category: "product_version", name: "apache-commons-beanutils-javadoc-1.9.4-3.7.aarch64", product: { name: "apache-commons-beanutils-javadoc-1.9.4-3.7.aarch64", product_id: "apache-commons-beanutils-javadoc-1.9.4-3.7.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "apache-commons-beanutils-1.9.4-3.7.ppc64le", product: { name: "apache-commons-beanutils-1.9.4-3.7.ppc64le", product_id: "apache-commons-beanutils-1.9.4-3.7.ppc64le", }, }, { category: "product_version", name: "apache-commons-beanutils-javadoc-1.9.4-3.7.ppc64le", product: { name: "apache-commons-beanutils-javadoc-1.9.4-3.7.ppc64le", product_id: "apache-commons-beanutils-javadoc-1.9.4-3.7.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "apache-commons-beanutils-1.9.4-3.7.s390x", product: { name: "apache-commons-beanutils-1.9.4-3.7.s390x", product_id: "apache-commons-beanutils-1.9.4-3.7.s390x", }, }, { category: "product_version", name: "apache-commons-beanutils-javadoc-1.9.4-3.7.s390x", product: { name: "apache-commons-beanutils-javadoc-1.9.4-3.7.s390x", product_id: "apache-commons-beanutils-javadoc-1.9.4-3.7.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "apache-commons-beanutils-1.9.4-3.7.x86_64", product: { name: "apache-commons-beanutils-1.9.4-3.7.x86_64", product_id: "apache-commons-beanutils-1.9.4-3.7.x86_64", }, }, { category: "product_version", name: "apache-commons-beanutils-javadoc-1.9.4-3.7.x86_64", product: { name: "apache-commons-beanutils-javadoc-1.9.4-3.7.x86_64", product_id: "apache-commons-beanutils-javadoc-1.9.4-3.7.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "openSUSE Tumbleweed", product: { name: "openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed", product_identification_helper: { cpe: "cpe:/o:opensuse:tumbleweed", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "apache-commons-beanutils-1.9.4-3.7.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.aarch64", }, product_reference: "apache-commons-beanutils-1.9.4-3.7.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "apache-commons-beanutils-1.9.4-3.7.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.ppc64le", }, product_reference: "apache-commons-beanutils-1.9.4-3.7.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "apache-commons-beanutils-1.9.4-3.7.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.s390x", }, product_reference: "apache-commons-beanutils-1.9.4-3.7.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "apache-commons-beanutils-1.9.4-3.7.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.x86_64", }, product_reference: "apache-commons-beanutils-1.9.4-3.7.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "apache-commons-beanutils-javadoc-1.9.4-3.7.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.aarch64", }, product_reference: "apache-commons-beanutils-javadoc-1.9.4-3.7.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "apache-commons-beanutils-javadoc-1.9.4-3.7.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.ppc64le", }, product_reference: "apache-commons-beanutils-javadoc-1.9.4-3.7.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "apache-commons-beanutils-javadoc-1.9.4-3.7.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.s390x", }, product_reference: "apache-commons-beanutils-javadoc-1.9.4-3.7.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "apache-commons-beanutils-javadoc-1.9.4-3.7.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.x86_64", }, product_reference: "apache-commons-beanutils-javadoc-1.9.4-3.7.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, ], }, vulnerabilities: [ { cve: "CVE-2014-0114", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2014-0114", }, ], notes: [ { category: "general", text: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.aarch64", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.ppc64le", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.s390x", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.x86_64", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.aarch64", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.ppc64le", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.s390x", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.x86_64", ], }, references: [ { category: "external", summary: "CVE-2014-0114", url: "https://www.suse.com/security/cve/CVE-2014-0114", }, { category: "external", summary: "SUSE Bug 778464 for CVE-2014-0114", url: "https://bugzilla.suse.com/778464", }, { category: "external", summary: "SUSE Bug 875455 for CVE-2014-0114", url: "https://bugzilla.suse.com/875455", }, { category: "external", summary: "SUSE Bug 885963 for CVE-2014-0114", url: "https://bugzilla.suse.com/885963", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.aarch64", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.ppc64le", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.s390x", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.x86_64", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.aarch64", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.ppc64le", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.s390x", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2014-0114", }, { cve: "CVE-2015-4852", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2015-4852", }, ], notes: [ { category: "general", text: "The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.aarch64", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.ppc64le", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.s390x", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.x86_64", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.aarch64", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.ppc64le", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.s390x", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.x86_64", ], }, references: [ { category: "external", summary: "CVE-2015-4852", url: "https://www.suse.com/security/cve/CVE-2015-4852", }, { category: "external", summary: "SUSE Bug 954102 for CVE-2015-4852", url: "https://bugzilla.suse.com/954102", }, { category: "external", summary: "SUSE Bug 955853 for CVE-2015-4852", url: "https://bugzilla.suse.com/955853", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.aarch64", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.ppc64le", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.s390x", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.x86_64", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.aarch64", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.ppc64le", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.s390x", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.aarch64", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.ppc64le", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.s390x", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.x86_64", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.aarch64", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.ppc64le", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.s390x", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2015-4852", }, { cve: "CVE-2019-10086", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-10086", }, ], notes: [ { category: "general", text: "In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.aarch64", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.ppc64le", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.s390x", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.x86_64", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.aarch64", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.ppc64le", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.s390x", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-10086", url: "https://www.suse.com/security/cve/CVE-2019-10086", }, { category: "external", summary: "SUSE Bug 1146657 for CVE-2019-10086", url: "https://bugzilla.suse.com/1146657", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.aarch64", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.ppc64le", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.s390x", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.x86_64", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.aarch64", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.ppc64le", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.s390x", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.3, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, products: [ "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.aarch64", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.ppc64le", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.s390x", "openSUSE Tumbleweed:apache-commons-beanutils-1.9.4-3.7.x86_64", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.aarch64", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.ppc64le", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.s390x", "openSUSE Tumbleweed:apache-commons-beanutils-javadoc-1.9.4-3.7.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2019-10086", }, ], }
gsd-2014-0114
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Aliases
Aliases
{ GSD: { alias: "CVE-2014-0114", description: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", id: "GSD-2014-0114", references: [ "https://www.suse.com/security/cve/CVE-2014-0114.html", "https://www.debian.org/security/2014/dsa-2940", "https://access.redhat.com/errata/RHSA-2019:2995", "https://access.redhat.com/errata/RHSA-2018:2669", "https://access.redhat.com/errata/RHSA-2014:0511", "https://access.redhat.com/errata/RHSA-2014:0500", "https://access.redhat.com/errata/RHSA-2014:0498", "https://access.redhat.com/errata/RHSA-2014:0497", "https://access.redhat.com/errata/RHSA-2014:0474", "https://advisories.mageia.org/CVE-2014-0114.html", "https://linux.oracle.com/cve/CVE-2014-0114.html", "https://packetstormsecurity.com/files/cve/CVE-2014-0114", "https://ubuntu.com/security/CVE-2014-0114", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2014-0114", ], details: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", id: "GSD-2014-0114", modified: "2023-12-13T01:22:44.062199Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2014-0114", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_affected: "=", version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { name: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", refsource: "MISC", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", refsource: "MISC", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "MISC", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", refsource: "MISC", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { name: "https://access.redhat.com/errata/RHSA-2018:2669", refsource: "MISC", url: "https://access.redhat.com/errata/RHSA-2018:2669", }, { name: "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", refsource: "MISC", url: "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", }, { name: "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", refsource: "MISC", url: "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", }, { name: "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", refsource: "MISC", url: "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", }, { name: "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E", }, { name: "http://seclists.org/fulldisclosure/2014/Dec/23", refsource: "MISC", url: "http://seclists.org/fulldisclosure/2014/Dec/23", }, { name: "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", refsource: "MISC", url: "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", }, { name: "http://www.securityfocus.com/archive/1/534161/100/0/threaded", refsource: "MISC", url: "http://www.securityfocus.com/archive/1/534161/100/0/threaded", }, { name: "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", refsource: "MISC", url: "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", }, { name: "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", refsource: "MISC", url: "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", }, { name: "http://advisories.mageia.org/MGASA-2014-0219.html", refsource: "MISC", url: "http://advisories.mageia.org/MGASA-2014-0219.html", }, { name: "http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html", refsource: "MISC", url: "http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html", }, { name: "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt", refsource: "MISC", url: "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt", }, { name: "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html", refsource: "MISC", url: "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html", }, { name: "http://marc.info/?l=bugtraq&m=140119284401582&w=2", refsource: "MISC", url: "http://marc.info/?l=bugtraq&m=140119284401582&w=2", }, { name: "http://marc.info/?l=bugtraq&m=140801096002766&w=2", refsource: "MISC", url: "http://marc.info/?l=bugtraq&m=140801096002766&w=2", }, { name: "http://marc.info/?l=bugtraq&m=141451023707502&w=2", refsource: "MISC", url: "http://marc.info/?l=bugtraq&m=141451023707502&w=2", }, { name: "http://openwall.com/lists/oss-security/2014/06/15/10", refsource: "MISC", url: "http://openwall.com/lists/oss-security/2014/06/15/10", }, { name: "http://openwall.com/lists/oss-security/2014/07/08/1", refsource: "MISC", url: "http://openwall.com/lists/oss-security/2014/07/08/1", }, { name: "http://secunia.com/advisories/57477", refsource: "MISC", url: "http://secunia.com/advisories/57477", }, { name: "http://secunia.com/advisories/58710", refsource: "MISC", url: "http://secunia.com/advisories/58710", }, { name: "http://secunia.com/advisories/58851", refsource: "MISC", url: "http://secunia.com/advisories/58851", }, { name: "http://secunia.com/advisories/58947", refsource: "MISC", url: "http://secunia.com/advisories/58947", }, { name: "http://secunia.com/advisories/59014", refsource: "MISC", url: "http://secunia.com/advisories/59014", }, { name: "http://secunia.com/advisories/59118", refsource: "MISC", url: "http://secunia.com/advisories/59118", }, { name: "http://secunia.com/advisories/59228", refsource: "MISC", url: "http://secunia.com/advisories/59228", }, { name: "http://secunia.com/advisories/59245", refsource: "MISC", url: "http://secunia.com/advisories/59245", }, { name: "http://secunia.com/advisories/59246", refsource: "MISC", url: "http://secunia.com/advisories/59246", }, { name: "http://secunia.com/advisories/59430", refsource: "MISC", url: "http://secunia.com/advisories/59430", }, { name: "http://secunia.com/advisories/59464", refsource: "MISC", url: "http://secunia.com/advisories/59464", }, { name: "http://secunia.com/advisories/59479", refsource: "MISC", url: "http://secunia.com/advisories/59479", }, { name: "http://secunia.com/advisories/59480", refsource: "MISC", url: "http://secunia.com/advisories/59480", }, { name: "http://secunia.com/advisories/59704", refsource: "MISC", url: "http://secunia.com/advisories/59704", }, { name: "http://secunia.com/advisories/59718", refsource: "MISC", url: "http://secunia.com/advisories/59718", }, { name: "http://secunia.com/advisories/60177", refsource: "MISC", url: "http://secunia.com/advisories/60177", }, { name: "http://secunia.com/advisories/60703", refsource: "MISC", url: "http://secunia.com/advisories/60703", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21674128", refsource: "MISC", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21674128", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21674812", refsource: "MISC", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21674812", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21675266", refsource: "MISC", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675266", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21675387", refsource: "MISC", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675387", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21675689", refsource: "MISC", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675689", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21675898", refsource: "MISC", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675898", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21675972", refsource: "MISC", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675972", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", refsource: "MISC", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21676110", refsource: "MISC", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676110", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21676303", refsource: "MISC", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676303", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21676375", refsource: "MISC", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676375", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21676931", refsource: "MISC", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676931", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21677110", refsource: "MISC", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21677110", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg27042296", refsource: "MISC", url: "http://www-01.ibm.com/support/docview.wss?uid=swg27042296", }, { name: "http://www.debian.org/security/2014/dsa-2940", refsource: "MISC", url: "http://www.debian.org/security/2014/dsa-2940", }, { name: "http://www.ibm.com/support/docview.wss?uid=swg21675496", refsource: "MISC", url: "http://www.ibm.com/support/docview.wss?uid=swg21675496", }, { name: "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095", refsource: "MISC", url: "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", refsource: "MISC", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { name: "http://www.securityfocus.com/bid/67121", refsource: "MISC", url: "http://www.securityfocus.com/bid/67121", }, { name: "https://access.redhat.com/errata/RHSA-2019:2995", refsource: "MISC", url: "https://access.redhat.com/errata/RHSA-2019:2995", }, { name: "https://access.redhat.com/solutions/869353", refsource: "MISC", url: "https://access.redhat.com/solutions/869353", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1116665", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1116665", }, { name: "https://issues.apache.org/jira/browse/BEANUTILS-463", refsource: "MISC", url: "https://issues.apache.org/jira/browse/BEANUTILS-463", }, { name: "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E", }, { name: "https://security.gentoo.org/glsa/201607-09", refsource: "MISC", url: "https://security.gentoo.org/glsa/201607-09", }, { name: "https://security.netapp.com/advisory/ntap-20140911-0001/", refsource: "MISC", url: "https://security.netapp.com/advisory/ntap-20140911-0001/", }, { name: "https://security.netapp.com/advisory/ntap-20180629-0006/", refsource: "MISC", url: "https://security.netapp.com/advisory/ntap-20180629-0006/", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, ], }, }, "gitlab.com": { advisories: [ { affected_range: "(,1.9.1]", affected_versions: "All versions up to 1.9.1", cvss_v2: "AV:N/AC:L/Au:N/C:P/I:P/A:P", cwe_ids: [ "CWE-1035", "CWE-20", "CWE-937", ], date: "2019-06-15", description: "This package does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the `ActionForm` object in Struts ", fixed_versions: [ "1.9.2", ], identifier: "CVE-2014-0114", identifiers: [ "CVE-2014-0114", ], not_impacted: "All versions after 1.9.1", package_slug: "maven/commons-beanutils/commons-beanutils", pubdate: "2014-04-30", solution: "Upgrade to version 1.9.2 or above.", title: "Class Loader manipulation via request parameters", urls: [ "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2J7xeaSxro", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114", "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", ], uuid: "dc5c6ffc-f1f7-494c-9c53-735bfc54215d", }, { affected_range: "(1.0,1.3.10]", affected_versions: "All versions up to 1.3.10", cvss_v2: "AV:N/AC:L/Au:N/C:P/I:P/A:P", cwe_ids: [ "CWE-1035", "CWE-20", "CWE-937", ], date: "2019-06-15", description: "Apache Commons BeanUtils does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the `ActionForm` object in Struts ", fixed_versions: [], identifier: "CVE-2014-0114", identifiers: [ "CVE-2014-0114", ], not_impacted: "All versions before 1.0", package_slug: "maven/struts/struts", pubdate: "2014-04-30", solution: "Unfortunately, there is no solution available yet.", title: "Improper Input Validation", urls: [ "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114", "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2J7xeaSxro", ], uuid: "5e123011-a07f-42bb-83e2-315733b05f18", }, ], }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:*", cpe_name: [], versionEndIncluding: "1.9.1", vulnerable: true, }, ], operator: "OR", }, { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2014-0114", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "CWE-20", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", refsource: "CONFIRM", tags: [], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { name: "59704", refsource: "SECUNIA", tags: [], url: "http://secunia.com/advisories/59704", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21676303", refsource: "CONFIRM", tags: [], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676303", }, { name: "https://issues.apache.org/jira/browse/BEANUTILS-463", refsource: "CONFIRM", tags: [], url: "https://issues.apache.org/jira/browse/BEANUTILS-463", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1116665", refsource: "CONFIRM", tags: [], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1116665", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21676931", refsource: "CONFIRM", tags: [], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676931", }, { name: "59014", refsource: "SECUNIA", tags: [], url: "http://secunia.com/advisories/59014", }, { name: "https://access.redhat.com/solutions/869353", refsource: "CONFIRM", tags: [], url: "https://access.redhat.com/solutions/869353", }, { name: "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt", refsource: "CONFIRM", tags: [], url: "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt", }, { name: "[oss-security] 20140707 Re: CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE", refsource: "MLIST", tags: [], url: "http://openwall.com/lists/oss-security/2014/07/08/1", }, { name: "58851", refsource: "SECUNIA", tags: [], url: "http://secunia.com/advisories/58851", }, { name: "[oss-security] 20140616 CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE", refsource: "MLIST", tags: [], url: "http://openwall.com/lists/oss-security/2014/06/15/10", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21676375", refsource: "CONFIRM", tags: [], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676375", }, { name: "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", refsource: "CONFIRM", tags: [], url: "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", }, { name: "60703", refsource: "SECUNIA", tags: [], url: "http://secunia.com/advisories/60703", }, { name: "60177", refsource: "SECUNIA", tags: [], url: "http://secunia.com/advisories/60177", }, { name: "FEDORA-2014-9380", refsource: "FEDORA", tags: [], url: "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html", }, { name: "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", refsource: "CONFIRM", tags: [], url: "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", }, { name: "DSA-2940", refsource: "DEBIAN", tags: [], url: "http://www.debian.org/security/2014/dsa-2940", }, { name: "HPSBST03160", refsource: "HP", tags: [], url: "http://marc.info/?l=bugtraq&m=141451023707502&w=2", }, { name: "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", refsource: "CONFIRM", tags: [], url: "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", }, { name: "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities", refsource: "FULLDISC", tags: [], url: "http://seclists.org/fulldisclosure/2014/Dec/23", }, { name: "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", refsource: "CONFIRM", tags: [], url: "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", refsource: "CONFIRM", tags: [], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", }, { name: "HPSBGN03041", refsource: "HP", tags: [], url: "http://marc.info/?l=bugtraq&m=140119284401582&w=2", }, { name: "HPSBMU03090", refsource: "HP", tags: [], url: "http://marc.info/?l=bugtraq&m=140801096002766&w=2", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", refsource: "CONFIRM", tags: [], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { name: "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", refsource: "CONFIRM", tags: [], url: "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", }, { name: "67121", refsource: "BID", tags: [], url: "http://www.securityfocus.com/bid/67121", }, { name: "GLSA-201607-09", refsource: "GENTOO", tags: [], url: "https://security.gentoo.org/glsa/201607-09", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg27042296", refsource: "CONFIRM", tags: [], url: "http://www-01.ibm.com/support/docview.wss?uid=swg27042296", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21677110", refsource: "CONFIRM", tags: [], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21677110", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21676110", refsource: "CONFIRM", tags: [], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676110", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21675972", refsource: "CONFIRM", tags: [], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675972", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21675898", refsource: "CONFIRM", tags: [], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675898", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21675689", refsource: "CONFIRM", tags: [], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675689", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21675387", refsource: "CONFIRM", tags: [], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675387", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21675266", refsource: "CONFIRM", tags: [], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675266", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21674812", refsource: "CONFIRM", tags: [], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21674812", }, { name: "http://www-01.ibm.com/support/docview.wss?uid=swg21674128", refsource: "CONFIRM", tags: [], url: "http://www-01.ibm.com/support/docview.wss?uid=swg21674128", }, { name: "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", refsource: "CONFIRM", tags: [], url: "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", }, { name: "MDVSA-2014:095", refsource: "MANDRIVA", tags: [], url: "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095", }, { name: "http://www.ibm.com/support/docview.wss?uid=swg21675496", refsource: "CONFIRM", tags: [], url: "http://www.ibm.com/support/docview.wss?uid=swg21675496", }, { name: "59718", refsource: "SECUNIA", tags: [], url: "http://secunia.com/advisories/59718", }, { name: "59480", refsource: "SECUNIA", tags: [], url: "http://secunia.com/advisories/59480", }, { name: "59479", refsource: "SECUNIA", tags: [], url: "http://secunia.com/advisories/59479", }, { name: "59464", refsource: "SECUNIA", tags: [], url: "http://secunia.com/advisories/59464", }, { name: "59430", refsource: "SECUNIA", tags: [], url: "http://secunia.com/advisories/59430", }, { name: "59246", refsource: "SECUNIA", tags: [], url: "http://secunia.com/advisories/59246", }, { name: "59245", refsource: "SECUNIA", tags: [], url: "http://secunia.com/advisories/59245", }, { name: "59228", refsource: "SECUNIA", tags: [], url: "http://secunia.com/advisories/59228", }, { name: "59118", refsource: "SECUNIA", tags: [], url: "http://secunia.com/advisories/59118", }, { name: "58947", refsource: "SECUNIA", tags: [], url: "http://secunia.com/advisories/58947", }, { name: "58710", refsource: "SECUNIA", tags: [], url: "http://secunia.com/advisories/58710", }, { name: "57477", refsource: "SECUNIA", tags: [], url: "http://secunia.com/advisories/57477", }, { name: "http://advisories.mageia.org/MGASA-2014-0219.html", refsource: "CONFIRM", tags: [], url: "http://advisories.mageia.org/MGASA-2014-0219.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", refsource: "CONFIRM", tags: [], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { name: "https://security.netapp.com/advisory/ntap-20140911-0001/", refsource: "CONFIRM", tags: [], url: "https://security.netapp.com/advisory/ntap-20140911-0001/", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "CONFIRM", tags: [], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "[apache-ignite-developers] 20180601 [CVE-2014-0114]: Apache Ignite is vulnerable to existing CVE-2014-0114", refsource: "MLIST", tags: [], url: "http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html", }, { name: "https://security.netapp.com/advisory/ntap-20180629-0006/", refsource: "CONFIRM", tags: [], url: "https://security.netapp.com/advisory/ntap-20180629-0006/", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", refsource: "CONFIRM", tags: [], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { name: "RHSA-2018:2669", refsource: "REDHAT", tags: [], url: "https://access.redhat.com/errata/RHSA-2018:2669", }, { name: "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities", refsource: "BUGTRAQ", tags: [], url: "http://www.securityfocus.com/archive/1/534161/100/0/threaded", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", refsource: "CONFIRM", tags: [], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", refsource: "CONFIRM", tags: [], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", refsource: "MISC", tags: [], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", refsource: "MISC", tags: [], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { name: "RHSA-2019:2995", refsource: "REDHAT", tags: [], url: "https://access.redhat.com/errata/RHSA-2019:2995", }, { name: "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E", refsource: "MISC", tags: [], url: "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E", }, ], }, }, impact: { baseMetricV2: { cvssV2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "HIGH", userInteractionRequired: false, }, }, lastModifiedDate: "2023-02-13T00:32Z", publishedDate: "2014-04-30T10:49Z", }, }, }
ghsa-p66x-2cv9-qq3v
Vulnerability from github
Published
2020-06-10 23:38
Modified
2024-06-05 15:57
Summary
Arbitrary code execution in Apache Commons BeanUtils
Details
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
{ affected: [ { package: { ecosystem: "Maven", name: "commons-beanutils:commons-beanutils", }, ranges: [ { events: [ { introduced: "1.8.0", }, { fixed: "1.9.4", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2014-0114", ], database_specific: { cwe_ids: [ "CWE-20", ], github_reviewed: true, github_reviewed_at: "2020-06-10T23:37:42Z", nvd_published_at: "2014-04-30T10:49:00Z", severity: "HIGH", }, details: "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", id: "GHSA-p66x-2cv9-qq3v", modified: "2024-06-05T15:57:09Z", published: "2020-06-10T23:38:01Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0114", }, { type: "WEB", url: "https://github.com/apache/commons-beanutils/pull/7", }, { type: "WEB", url: "https://github.com/apache/commons-beanutils/commit/62e82ad92cf4818709d6044aaf257b73d42659a4", }, { type: "WEB", url: "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639@%3Ccommits.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40@%3Cgitbox.activemq.apache.org%3E", }, { type: "WEB", url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { type: "WEB", url: "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b@%3Cannounce.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25@%3Cdev.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E", }, { type: "WEB", url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { type: "WEB", url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { type: "WEB", url: "https://web.archive.org/web/20150710065242/http://www.securityfocus.com/archive/1/534161/100/0/threaded", }, { type: "WEB", url: "https://web.archive.org/web/20140618110851/http://www.securityfocus.com/bid/67121", }, { type: "WEB", url: "https://snyk.io/vuln/SNYK-JAVA-COMMONSBEANUTILS-30077", }, { type: "WEB", url: "https://security.netapp.com/advisory/ntap-20180629-0006", }, { type: "WEB", url: "https://security.netapp.com/advisory/ntap-20140911-0001", }, { type: "WEB", url: "https://security.gentoo.org/glsa/201607-09", }, { type: "WEB", url: "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e@%3Cissues.activemq.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3@%3Cnotifications.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f@%3Cnotifications.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86@%3Cdev.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5@%3Ccommits.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c@%3Cissues.activemq.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f@%3Cuser.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859@%3Cdev.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E", }, { type: "WEB", url: "https://issues.apache.org/jira/browse/BEANUTILS-463", }, { type: "WEB", url: "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", }, { type: "PACKAGE", url: "https://github.com/apache/commons-beanutils", }, { type: "WEB", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1116665", }, { type: "WEB", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", }, { type: "WEB", url: "https://access.redhat.com/solutions/869353", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2019:2995", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2018:2669", }, { type: "WEB", url: "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1@%3Cdev.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30@%3Cissues.activemq.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd@%3Ccommits.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0@%3Cissues.commons.apache.org%3E", }, { type: "WEB", url: "http://advisories.mageia.org/MGASA-2014-0219.html", }, { type: "WEB", url: "http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html", }, { type: "WEB", url: "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt", }, { type: "WEB", url: "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html", }, { type: "WEB", url: "http://marc.info/?l=bugtraq&m=140119284401582&w=2", }, { type: "WEB", url: "http://marc.info/?l=bugtraq&m=140801096002766&w=2", }, { type: "WEB", url: "http://marc.info/?l=bugtraq&m=141451023707502&w=2", }, { type: "WEB", url: "http://openwall.com/lists/oss-security/2014/06/15/10", }, { type: "WEB", url: "http://openwall.com/lists/oss-security/2014/07/08/1", }, { type: "WEB", url: "http://seclists.org/fulldisclosure/2014/Dec/23", }, { type: "WEB", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21674128", }, { type: "WEB", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21674812", }, { type: "WEB", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675266", }, { type: "WEB", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675387", }, { type: "WEB", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675689", }, { type: "WEB", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675898", }, { type: "WEB", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21675972", }, { type: "WEB", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", }, { type: "WEB", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676110", }, { type: "WEB", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676303", }, { type: "WEB", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676375", }, { type: "WEB", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21676931", }, { type: "WEB", url: "http://www-01.ibm.com/support/docview.wss?uid=swg21677110", }, { type: "WEB", url: "http://www-01.ibm.com/support/docview.wss?uid=swg27042296", }, { type: "WEB", url: "http://www.debian.org/security/2014/dsa-2940", }, { type: "WEB", url: "http://www.ibm.com/support/docview.wss?uid=swg21675496", }, { type: "WEB", url: "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095", }, { type: "WEB", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { type: "WEB", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { type: "WEB", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { type: "WEB", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { type: "WEB", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { type: "WEB", url: "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", }, { type: "WEB", url: "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", }, { type: "WEB", url: "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", }, { type: "WEB", url: "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", }, { type: "WEB", url: "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", }, ], schema_version: "1.4.0", severity: [], summary: "Arbitrary code execution in Apache Commons BeanUtils", }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.