cvelistv5 - cve-2017-5637

URL	Tags
security@apache.org	http://www.debian.org/security/2017/dsa-3871	Third Party Advisory
security@apache.org	http://www.securityfocus.com/bid/98814	VDB Entry, Third Party Advisory
security@apache.org	https://access.redhat.com/errata/RHSA-2017:2477
security@apache.org	https://access.redhat.com/errata/RHSA-2017:3354
security@apache.org	https://access.redhat.com/errata/RHSA-2017:3355
security@apache.org	https://issues.apache.org/jira/browse/ZOOKEEPER-2693	Issue Tracking, Mitigation, Vendor Advisory
security@apache.org	https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370%40%3Cdev.zookeeper.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
security@apache.org	https://www.oracle.com//security-alerts/cpujul2021.html
security@apache.org	https://www.oracle.com/security-alerts/cpujul2020.html

▼	Vendor	Product
	Apache Software Foundation	Apache ZooKeeper

rhsa-2017_3354

Vulnerability from csaf_redhat

Published

2017-11-30 16:47

Modified

2024-11-22 11:36

Summary

Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.7 security update

Notes

Topic

An update is now available for Red Hat JBoss BRMS. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. This release of Red Hat JBoss BRMS 6.4.7 serves as a replacement for Red Hat JBoss BRMS 6.4.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing "wchp/wchc" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637) * It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. (CVE-2017-7545) Red Hat would like to thank Man Yue Mo (Semmle) for reporting CVE-2017-7545.

Terms of Use

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat JBoss BRMS.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.4.7 serves as a replacement for Red Hat JBoss BRMS 6.4.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)\n\n* It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. (CVE-2017-7545)\n\nRed Hat would like to thank Man Yue Mo (Semmle) for reporting CVE-2017-7545.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2017:3354",
        "url": "https://access.redhat.com/errata/RHSA-2017:3354"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=6.4",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=6.4"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en/red-hat-jboss-brms/",
        "url": "https://access.redhat.com/documentation/en/red-hat-jboss-brms/"
      },
      {
        "category": "external",
        "summary": "1454808",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
      },
      {
        "category": "external",
        "summary": "1474822",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1474822"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_3354.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.7 security update",
    "tracking": {
      "current_release_date": "2024-11-22T11:36:55+00:00",
      "generator": {
        "date": "2024-11-22T11:36:55+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2017:3354",
      "initial_release_date": "2017-11-30T16:47:01+00:00",
      "revision_history": [
        {
          "date": "2017-11-30T16:47:01+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2017-11-30T16:47:01+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T11:36:55+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss BRMS 6.4",
                "product": {
                  "name": "Red Hat JBoss BRMS 6.4",
                  "product_id": "Red Hat JBoss BRMS 6.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6.4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Decision Manager"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2017-5637",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2017-05-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1454808"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "zookeeper: Incorrect input validation with wchp/wchc four letter words",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss BRMS 6.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2017-5637"
        },
        {
          "category": "external",
          "summary": "RHBZ#1454808",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2017-5637",
          "url": "https://www.cve.org/CVERecord?id=CVE-2017-5637"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637"
        }
      ],
      "release_date": "2017-02-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-11-30T16:47:01+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat JBoss BRMS 6.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:3354"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss BRMS 6.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "zookeeper: Incorrect input validation with wchp/wchc four letter words"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Man Yue Mo"
          ],
          "organization": "Semmle"
        }
      ],
      "cve": "CVE-2017-7545",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2017-07-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1474822"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jbpmmigration: XXE vulnerability in XmlUtils",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss BRMS 6.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2017-7545"
        },
        {
          "category": "external",
          "summary": "RHBZ#1474822",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1474822"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2017-7545",
          "url": "https://www.cve.org/CVERecord?id=CVE-2017-7545"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7545",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7545"
        }
      ],
      "release_date": "2017-11-30T16:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-11-30T16:47:01+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat JBoss BRMS 6.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:3354"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss BRMS 6.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jbpmmigration: XXE vulnerability in XmlUtils"
    }
  ]
}

rhsa-2017_2477

Vulnerability from csaf_redhat

Published

2017-08-15 15:07

Modified

2024-11-22 11:16

Summary

Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.3 Update 7 security update

Notes

Topic

An update is now available for Red Hat JBoss Data Virtualization. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database. This release of Red Hat JBoss Data Virtualization 6.3 Update 7 serves as a replacement for Red Hat JBoss Data Virtualization 6.3 Update 6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525) * A vulnerability was discovered in Apache Thrift client libraries that allows remote, authenticated attackers to cause an infinite recursion via vectors involving the skip function; resulting in a denial of service (DoS) condition. (CVE-2015-3254) * A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing "wchp/wchc" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637) Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.

Terms of Use

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat JBoss Data Virtualization.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.\n\nThis release of Red Hat JBoss Data Virtualization 6.3 Update 7 serves as a replacement for Red Hat JBoss Data Virtualization 6.3 Update 6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)\n\n* A vulnerability was discovered in Apache Thrift client libraries that allows remote, authenticated attackers to cause an infinite recursion via vectors involving the skip function; resulting in a denial of service (DoS) condition. (CVE-2015-3254)\n\n* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2017:2477",
        "url": "https://access.redhat.com/errata/RHSA-2017:2477"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.3.0",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.3.0"
      },
      {
        "category": "external",
        "summary": "1454808",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
      },
      {
        "category": "external",
        "summary": "1462702",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462702"
      },
      {
        "category": "external",
        "summary": "1462783",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462783"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2477.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.3 Update 7 security update",
    "tracking": {
      "current_release_date": "2024-11-22T11:16:52+00:00",
      "generator": {
        "date": "2024-11-22T11:16:52+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2017:2477",
      "initial_release_date": "2017-08-15T15:07:56+00:00",
      "revision_history": [
        {
          "date": "2017-08-15T15:07:56+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2017-08-15T15:07:56+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T11:16:52+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Data Virtualization 6.3",
                "product": {
                  "name": "Red Hat JBoss Data Virtualization 6.3",
                  "product_id": "Red Hat JBoss Data Virtualization 6.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Data Virtualization"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2015-3254",
      "cwe": {
        "id": "CWE-835",
        "name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
      },
      "discovery_date": "2017-06-16T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1462783"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was discovered in Apache Thrift client libraries that allows remote, authenticated attackers to cause an infinite recursion via vectors involving the skip function; resulting in a denial of service (DoS) condition.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "thrift: Infinite recursion via vectors involving the skip function",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Data Virtualization 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-3254"
        },
        {
          "category": "external",
          "summary": "RHBZ#1462783",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462783"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-3254",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-3254"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-3254",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3254"
        }
      ],
      "release_date": "2015-07-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-08-15T15:07:56+00:00",
          "details": "Before applying the update, back up your existing Red Hat JBoss Data Virtualization installation (including its databases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Data Virtualization server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat JBoss Data Virtualization 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:2477"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss Data Virtualization 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "thrift: Infinite recursion via vectors involving the skip function"
    },
    {
      "cve": "CVE-2017-5637",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2017-05-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1454808"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "zookeeper: Incorrect input validation with wchp/wchc four letter words",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Data Virtualization 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2017-5637"
        },
        {
          "category": "external",
          "summary": "RHBZ#1454808",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2017-5637",
          "url": "https://www.cve.org/CVERecord?id=CVE-2017-5637"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637"
        }
      ],
      "release_date": "2017-02-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-08-15T15:07:56+00:00",
          "details": "Before applying the update, back up your existing Red Hat JBoss Data Virtualization installation (including its databases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Data Virtualization server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat JBoss Data Virtualization 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:2477"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss Data Virtualization 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "zookeeper: Incorrect input validation with wchp/wchc four letter words"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Liao Xinxi"
          ],
          "organization": "NSFOCUS"
        }
      ],
      "cve": "CVE-2017-7525",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2017-06-16T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1462702"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time:\n\nCandlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.\n\nHowever as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.\n\nJBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: \n\nhttps://access.redhat.com/solutions/3279231\n\nAlthough JBoss Fuse ships the vulnerable version of jackson-databind, it does not call on enableDefaultTyping() for any polymorphic deserialization operations which is the root cause of this vulnerability. We have raised a Jira tracker to ensure that jackson-databind will be upgraded for Fuse 7.0, however due to feasibility issues jackson-databind cannot be upgraded in JBoss Fuse 6.3.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Data Virtualization 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2017-7525"
        },
        {
          "category": "external",
          "summary": "RHBZ#1462702",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462702"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2017-7525",
          "url": "https://www.cve.org/CVERecord?id=CVE-2017-7525"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7525",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7525"
        }
      ],
      "release_date": "2017-07-14T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-08-15T15:07:56+00:00",
          "details": "Before applying the update, back up your existing Red Hat JBoss Data Virtualization installation (including its databases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Data Virtualization server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat JBoss Data Virtualization 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:2477"
        },
        {
          "category": "workaround",
          "details": "Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true",
          "product_ids": [
            "Red Hat JBoss Data Virtualization 6.3"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss Data Virtualization 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper"
    }
  ]
}

rhsa-2017_3355

Vulnerability from csaf_redhat

Published

2017-11-30 16:46

Modified

2024-11-22 11:36

Summary

Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.7 security update

Notes

Topic

An update is now available for Red Hat JBoss BPM Suite. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes. This release of Red Hat JBoss BPM Suite 6.4.7 serves as a replacement for Red Hat JBoss BPM Suite 6.4.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing "wchp/wchc" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637) * It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. (CVE-2017-7545) Red Hat would like to thank Man Yue Mo (Semmle) for reporting CVE-2017-7545.

Terms of Use

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat JBoss BPM Suite.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.\n\nThis release of Red Hat JBoss BPM Suite 6.4.7 serves as a replacement for Red Hat JBoss BPM Suite 6.4.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)\n\n* It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. (CVE-2017-7545)\n\nRed Hat would like to thank Man Yue Mo (Semmle) for reporting CVE-2017-7545.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2017:3355",
        "url": "https://access.redhat.com/errata/RHSA-2017:3355"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite\u0026downloadType=securityPatches\u0026version=6.4",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite\u0026downloadType=securityPatches\u0026version=6.4"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/",
        "url": "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/"
      },
      {
        "category": "external",
        "summary": "1454808",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
      },
      {
        "category": "external",
        "summary": "1474822",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1474822"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_3355.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.7 security update",
    "tracking": {
      "current_release_date": "2024-11-22T11:36:59+00:00",
      "generator": {
        "date": "2024-11-22T11:36:59+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2017:3355",
      "initial_release_date": "2017-11-30T16:46:10+00:00",
      "revision_history": [
        {
          "date": "2017-11-30T16:46:10+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2017-11-30T16:46:10+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T11:36:59+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss BPMS 6.4",
                "product": {
                  "name": "Red Hat JBoss BPMS 6.4",
                  "product_id": "Red Hat JBoss BPMS 6.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_bpms:6.4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Process Automation Manager"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2017-5637",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2017-05-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1454808"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "zookeeper: Incorrect input validation with wchp/wchc four letter words",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss BPMS 6.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2017-5637"
        },
        {
          "category": "external",
          "summary": "RHBZ#1454808",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2017-5637",
          "url": "https://www.cve.org/CVERecord?id=CVE-2017-5637"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637"
        }
      ],
      "release_date": "2017-02-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-11-30T16:46:10+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat JBoss BPMS 6.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:3355"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss BPMS 6.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "zookeeper: Incorrect input validation with wchp/wchc four letter words"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Man Yue Mo"
          ],
          "organization": "Semmle"
        }
      ],
      "cve": "CVE-2017-7545",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2017-07-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1474822"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jbpmmigration: XXE vulnerability in XmlUtils",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss BPMS 6.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2017-7545"
        },
        {
          "category": "external",
          "summary": "RHBZ#1474822",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1474822"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2017-7545",
          "url": "https://www.cve.org/CVERecord?id=CVE-2017-7545"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7545",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7545"
        }
      ],
      "release_date": "2017-11-30T16:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-11-30T16:46:10+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat JBoss BPMS 6.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:3355"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss BPMS 6.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jbpmmigration: XXE vulnerability in XmlUtils"
    }
  ]
}

gsd-2017-5637

Vulnerability from gsd

Modified

2023-12-13 01:21

Details

Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.

Aliases

CVE-2017-5637

Aliases

CVE-2017-5637

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-5637",
    "description": "Two four letter word commands \"wchp/wchc\" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.",
    "id": "GSD-2017-5637",
    "references": [
      "https://www.suse.com/security/cve/CVE-2017-5637.html",
      "https://www.debian.org/security/2017/dsa-3871",
      "https://access.redhat.com/errata/RHSA-2017:3355",
      "https://access.redhat.com/errata/RHSA-2017:3354",
      "https://access.redhat.com/errata/RHSA-2017:2477",
      "https://ubuntu.com/security/CVE-2017-5637"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-5637"
      ],
      "details": "Two four letter word commands \"wchp/wchc\" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.",
      "id": "GSD-2017-5637",
      "modified": "2023-12-13T01:21:13.917730Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "DATE_PUBLIC": "2017-10-09T00:00:00",
        "ID": "CVE-2017-5637",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache ZooKeeper",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "3.4.0 to 3.4.9"
                        },
                        {
                          "version_value": "3.5.0 to 3.5.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Two four letter word commands \"wchp/wchc\" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "DOS"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "[dev] 20171009 [SECURITY] CVE-2017-5637: DOS attack on wchp/wchc four letter words (4lw)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E"
          },
          {
            "name": "98814",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/98814"
          },
          {
            "name": "RHSA-2017:3355",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2017:3355"
          },
          {
            "name": "RHSA-2017:3354",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2017:3354"
          },
          {
            "name": "RHSA-2017:2477",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2017:2477"
          },
          {
            "name": "DSA-3871",
            "refsource": "DEBIAN",
            "url": "http://www.debian.org/security/2017/dsa-3871"
          },
          {
            "name": "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E"
          },
          {
            "name": "[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E"
          },
          {
            "name": "[nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"
          },
          {
            "name": "https://www.oracle.com/security-alerts/cpujul2020.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
          },
          {
            "name": "https://issues.apache.org/jira/browse/ZOOKEEPER-2693",
            "refsource": "CONFIRM",
            "url": "https://issues.apache.org/jira/browse/ZOOKEEPER-2693"
          },
          {
            "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[3.4.0,3.4.9],[3.5.0,3.5.2]",
          "affected_versions": "All versions starting from 3.4.0 up to 3.4.9, all versions starting from 3.5.0 up to 3.5.2",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-306",
            "CWE-400",
            "CWE-937"
          ],
          "date": "2019-10-03",
          "description": "Two `wchp` and `wchc` commands are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests.",
          "fixed_versions": [
            "3.4.10",
            "3.5.3"
          ],
          "identifier": "CVE-2017-5637",
          "identifiers": [
            "CVE-2017-5637"
          ],
          "not_impacted": "All versions before 3.4.0, all versions after 3.4.9 before 3.5.0, all versions after 3.5.2",
          "package_slug": "maven/org.apache.zookeeper/zookeeper",
          "pubdate": "2017-10-10",
          "solution": "Upgrade to versions 3.4.10, 3.5.3 or above.",
          "title": "Missing Authentication for Critical Function",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2017-5637",
            "http://www.securityfocus.com/bid/98814",
            "https://issues.apache.org/jira/browse/ZOOKEEPER-2693"
          ],
          "uuid": "eba1af28-547c-4137-a5da-46446b50b280"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.4.8:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.4.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.5.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.5.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.4.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.4.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.4.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.4.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.4.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.5.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.4.9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.4.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.4.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2017-5637"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Two four letter word commands \"wchp/wchc\" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-400"
                },
                {
                  "lang": "en",
                  "value": "CWE-306"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[dev] 20171009 [SECURITY] CVE-2017-5637: DOS attack on wchp/wchc four letter words (4lw)",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E"
            },
            {
              "name": "https://issues.apache.org/jira/browse/ZOOKEEPER-2693",
              "refsource": "CONFIRM",
              "tags": [
                "Issue Tracking",
                "Mitigation",
                "Vendor Advisory"
              ],
              "url": "https://issues.apache.org/jira/browse/ZOOKEEPER-2693"
            },
            {
              "name": "98814",
              "refsource": "BID",
              "tags": [
                "VDB Entry",
                "Third Party Advisory"
              ],
              "url": "http://www.securityfocus.com/bid/98814"
            },
            {
              "name": "DSA-3871",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://www.debian.org/security/2017/dsa-3871"
            },
            {
              "name": "RHSA-2017:3355",
              "refsource": "REDHAT",
              "tags": [],
              "url": "https://access.redhat.com/errata/RHSA-2017:3355"
            },
            {
              "name": "RHSA-2017:3354",
              "refsource": "REDHAT",
              "tags": [],
              "url": "https://access.redhat.com/errata/RHSA-2017:3354"
            },
            {
              "name": "RHSA-2017:2477",
              "refsource": "REDHAT",
              "tags": [],
              "url": "https://access.redhat.com/errata/RHSA-2017:2477"
            },
            {
              "name": "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E"
            },
            {
              "name": "[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E"
            },
            {
              "name": "[nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2020.html",
              "refsource": "MISC",
              "tags": [],
              "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
            },
            {
              "name": "N/A",
              "refsource": "N/A",
              "tags": [],
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2021-07-20T23:15Z",
      "publishedDate": "2017-10-10T01:30Z"
    }
  }
}

wid-sec-w-2022-0770

Vulnerability from csaf_certbund

Published

2020-04-23 22:00

Modified

2024-05-16 22:00

Summary

IBM DB2: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.

Angriff

Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM DB2 ausnutzen, um seine Privilegien zu erhöhen oder einen Denial of Service zu verursachen

Betroffene Betriebssysteme

- Linux - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM DB2 ausnutzen, um seine Privilegien zu erh\u00f6hen oder einen Denial of Service zu verursachen",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-0770 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2022-0770.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-0770 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0770"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 6198380 vom 2020-04-23",
        "url": "https://www.ibm.com/support/pages/node/6198380"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:2603 vom 2020-06-17",
        "url": "https://access.redhat.com/errata/RHSA-2020:2603"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:4807 vom 2020-11-04",
        "url": "https://access.redhat.com/errata/RHSA-2020:4807"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:3225 vom 2021-08-20",
        "url": "https://access.redhat.com/errata/RHSA-2021:3225"
      },
      {
        "category": "external",
        "summary": "Hitachi Vulnerability Information HITACHI-SEC-2022-115 vom 2022-05-27",
        "url": "https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2022-115/index.html"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 6605881 vom 2022-07-21",
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-have-been-identified-in-ibm-db2-shipped-with-ibm-puredata-system-for-operational-analytics/"
      },
      {
        "category": "external",
        "summary": "Dell Security Advisory DSA-2024-070 vom 2024-02-03",
        "url": "https://www.dell.com/support/kbdoc/000221770/dsa-2024-="
      },
      {
        "category": "external",
        "summary": "Hitachi Vulnerability Information HITACHI-SEC-2023-144 vom 2023-10-03",
        "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-144/index.html"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7153639 vom 2024-05-17",
        "url": "https://www.ibm.com/support/pages/node/7153639"
      }
    ],
    "source_lang": "en-US",
    "title": "IBM DB2: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-05-16T22:00:00.000+00:00",
      "generator": {
        "date": "2024-05-17T08:33:37.793+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2022-0770",
      "initial_release_date": "2020-04-23T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2020-04-23T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2020-06-17T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2020-11-03T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2021-08-19T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-05-26T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von HITACHI aufgenommen"
        },
        {
          "date": "2022-07-20T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2023-10-03T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von HITACHI aufgenommen"
        },
        {
          "date": "2024-02-04T23:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Dell aufgenommen"
        },
        {
          "date": "2024-05-16T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von IBM aufgenommen"
        }
      ],
      "status": "final",
      "version": "9"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "EMC Avamar",
            "product": {
              "name": "EMC Avamar",
              "product_id": "T014381",
              "product_identification_helper": {
                "cpe": "cpe:/a:emc:avamar:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "EMC"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Hitachi Ops Center",
                "product": {
                  "name": "Hitachi Ops Center",
                  "product_id": "T017562",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hitachi:ops_center:-"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cAnalyzer 10.9.3-00",
                "product": {
                  "name": "Hitachi Ops Center \u003cAnalyzer 10.9.3-00",
                  "product_id": "T030196",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hitachi:ops_center:analyzer_10.9.3-00"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cViewpoint 10.9.3-00",
                "product": {
                  "name": "Hitachi Ops Center \u003cViewpoint 10.9.3-00",
                  "product_id": "T030197",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hitachi:ops_center:viewpoint_10.9.3-00"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Ops Center"
          }
        ],
        "category": "vendor",
        "name": "Hitachi"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "11.1",
                "product": {
                  "name": "IBM DB2 11.1",
                  "product_id": "342000",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:db2:11.1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "11.5",
                "product": {
                  "name": "IBM DB2 11.5",
                  "product_id": "695419",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:db2:11.5"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "DB2"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2009-0001",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2009-0001"
    },
    {
      "cve": "CVE-2014-0114",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2014-0114"
    },
    {
      "cve": "CVE-2014-0193",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2014-0193"
    },
    {
      "cve": "CVE-2014-3488",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2014-3488"
    },
    {
      "cve": "CVE-2015-2156",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2015-2156"
    },
    {
      "cve": "CVE-2016-2402",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2016-2402"
    },
    {
      "cve": "CVE-2017-12972",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2017-12972"
    },
    {
      "cve": "CVE-2017-12973",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2017-12973"
    },
    {
      "cve": "CVE-2017-12974",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2017-12974"
    },
    {
      "cve": "CVE-2017-18640",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2017-18640"
    },
    {
      "cve": "CVE-2017-3734",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2017-3734"
    },
    {
      "cve": "CVE-2017-5637",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2017-5637"
    },
    {
      "cve": "CVE-2018-10237",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2018-10237"
    },
    {
      "cve": "CVE-2018-11771",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2018-11771"
    },
    {
      "cve": "CVE-2018-8009",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2018-8009"
    },
    {
      "cve": "CVE-2018-8012",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2018-8012"
    },
    {
      "cve": "CVE-2019-0201",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2019-0201"
    },
    {
      "cve": "CVE-2019-10086",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2019-10086"
    },
    {
      "cve": "CVE-2019-10172",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2019-10172"
    },
    {
      "cve": "CVE-2019-10202",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2019-10202"
    },
    {
      "cve": "CVE-2019-12402",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2019-12402"
    },
    {
      "cve": "CVE-2019-16869",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2019-16869"
    },
    {
      "cve": "CVE-2019-17195",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2019-17195"
    },
    {
      "cve": "CVE-2019-17571",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2019-17571"
    },
    {
      "cve": "CVE-2019-9512",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2019-9512"
    },
    {
      "cve": "CVE-2019-9514",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2019-9514"
    },
    {
      "cve": "CVE-2019-9515",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2019-9515"
    },
    {
      "cve": "CVE-2019-9518",
      "notes": [
        {
          "category": "description",
          "text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T014381",
          "342000",
          "67646",
          "695419",
          "T030196",
          "T017562",
          "T030197"
        ]
      },
      "release_date": "2020-04-23T22:00:00Z",
      "title": "CVE-2019-9518"
    }
  ]
}

ghsa-7cwj-j333-x7f7

Vulnerability from github

Published

2022-05-13 01:08

Modified

2022-07-01 16:58

Severity ?

7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Uncontrolled Resource Consumption in Apache ZooKeeper

Details

Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.4.9"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.zookeeper:zookeeper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.4.0"
            },
            {
              "fixed": "3.4.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.5.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.zookeeper:zookeeper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.5.0"
            },
            {
              "fixed": "3.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-5637"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-01T16:58:11Z",
    "nvd_published_at": "2017-10-10T01:30:00Z",
    "severity": "HIGH"
  },
  "details": "Two four letter word commands \"wchp/wchc\" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.",
  "id": "GHSA-7cwj-j333-x7f7",
  "modified": "2022-07-01T16:58:11Z",
  "published": "2022-05-13T01:08:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2477"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3354"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3355"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/ZOOKEEPER-2693"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3871"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98814"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uncontrolled Resource Consumption in Apache ZooKeeper"
}

cve-2017-5637

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature

Action not permitted

cve-2017-5637

Vulnerability from cvelistv5

rhsa-2017_3354

Vulnerability from csaf_redhat

rhsa-2017_2477

Vulnerability from csaf_redhat

rhsa-2017_3355

Vulnerability from csaf_redhat

gsd-2017-5637

Vulnerability from gsd

wid-sec-w-2022-0770

Vulnerability from csaf_certbund

ghsa-7cwj-j333-x7f7

Vulnerability from github

Tags

Sightings

Nomenclature