Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2017-5637
Vulnerability from cvelistv5
Published
2017-10-10 01:00
Modified
2024-09-17 00:16
Severity ?
EPSS score ?
Summary
Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache ZooKeeper |
Version: 3.4.0 to 3.4.9 Version: 3.5.0 to 3.5.2 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:04:15.426Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20171009 [SECURITY] CVE-2017-5637: DOS attack on wchp/wchc four letter words (4lw)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "98814",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/98814"
},
{
"name": "RHSA-2017:3355",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3355"
},
{
"name": "RHSA-2017:3354",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3354"
},
{
"name": "RHSA-2017:2477",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
},
{
"name": "DSA-3871",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3871"
},
{
"name": "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E"
},
{
"name": "[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E"
},
{
"name": "[nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/ZOOKEEPER-2693"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ZooKeeper",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "3.4.0 to 3.4.9"
},
{
"status": "affected",
"version": "3.5.0 to 3.5.2"
}
]
}
],
"datePublic": "2017-10-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Two four letter word commands \"wchp/wchc\" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "DOS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-20T22:53:06",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20171009 [SECURITY] CVE-2017-5637: DOS attack on wchp/wchc four letter words (4lw)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "98814",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/98814"
},
{
"name": "RHSA-2017:3355",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3355"
},
{
"name": "RHSA-2017:3354",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3354"
},
{
"name": "RHSA-2017:2477",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
},
{
"name": "DSA-3871",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3871"
},
{
"name": "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E"
},
{
"name": "[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E"
},
{
"name": "[nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/browse/ZOOKEEPER-2693"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-10-09T00:00:00",
"ID": "CVE-2017-5637",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ZooKeeper",
"version": {
"version_data": [
{
"version_value": "3.4.0 to 3.4.9"
},
{
"version_value": "3.5.0 to 3.5.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Two four letter word commands \"wchp/wchc\" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "DOS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20171009 [SECURITY] CVE-2017-5637: DOS attack on wchp/wchc four letter words (4lw)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "98814",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/98814"
},
{
"name": "RHSA-2017:3355",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:3355"
},
{
"name": "RHSA-2017:3354",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:3354"
},
{
"name": "RHSA-2017:2477",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
},
{
"name": "DSA-3871",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3871"
},
{
"name": "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E"
},
{
"name": "[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E"
},
{
"name": "[nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://issues.apache.org/jira/browse/ZOOKEEPER-2693",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/browse/ZOOKEEPER-2693"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-5637",
"datePublished": "2017-10-10T01:00:00Z",
"dateReserved": "2017-01-29T00:00:00",
"dateUpdated": "2024-09-17T00:16:26.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:zookeeper:3.4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F0E65AF7-9D19-4B31-9BE0-4EB07B2853F9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:zookeeper:3.4.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"98FFE2B9-6744-4198-946E-89D78EC5E72C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:zookeeper:3.4.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"075AF151-A8A1-48BC-BD8B-E123ACAD5A02\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:zookeeper:3.4.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AF7A6DB3-2F19-4155-B019-2325A3D1186F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:zookeeper:3.4.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7346C4C9-7788-4686-A9D3-0225CA1A5B39\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:zookeeper:3.4.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2BA6B730-25E1-489D-BBB7-18F9251EF20D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:zookeeper:3.4.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7DCF90EA-9BD7-42FE-A1C2-0C04D53543DC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:zookeeper:3.4.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6E981E8B-0BEF-4644-919F-0BF7549D70E8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:zookeeper:3.4.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"10957A4F-4A07-4777-A92B-525C0AF9D99C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:zookeeper:3.4.9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2732FE0E-9F19-46BE-BE05-3DF6ED7AC222\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:zookeeper:3.5.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C6BC9FC3-2BFE-40D1-A647-801AC49CA0E0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:zookeeper:3.5.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"31DA0549-5FD8-427E-995F-49B26854CB47\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:zookeeper:3.5.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A7974A08-51CA-4E28-A914-F2C5173E0C76\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Two four letter word commands \\\"wchp/wchc\\\" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.\"}, {\"lang\": \"es\", \"value\": \"Dos comandos con palabras de cuatro letras \\\"wchp/wchc\\\" provocan un gran consumo de CPU y podr\\u00edan dar lugar a que se alcance el m\\u00e1ximo uso de CPU en el servidor Apache ZooKeeper si se abusa de ellos, lo que da lugar a que el servidor quede deshabilitado para servir a peticiones de clientes leg\\u00edtimos. Las versiones de la 3.4.9 a la 3.5.2 de Apache ZooKeeper tienen este problema, que fue solucionado en las versiones 3.4.10, 3.5.3 y posteriores.\"}]",
"id": "CVE-2017-5637",
"lastModified": "2024-11-21T03:28:04.187",
"metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2017-10-10T01:30:22.360",
"references": "[{\"url\": \"http://www.debian.org/security/2017/dsa-3871\", \"source\": \"security@apache.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/98814\", \"source\": \"security@apache.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2477\", \"source\": \"security@apache.org\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:3354\", \"source\": \"security@apache.org\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:3355\", \"source\": \"security@apache.org\"}, {\"url\": \"https://issues.apache.org/jira/browse/ZOOKEEPER-2693\", \"source\": \"security@apache.org\", \"tags\": [\"Issue Tracking\", \"Mitigation\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370%40%3Cdev.zookeeper.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\", \"source\": \"security@apache.org\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\", \"source\": \"security@apache.org\"}, {\"url\": \"http://www.debian.org/security/2017/dsa-3871\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/98814\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2477\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:3354\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:3355\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://issues.apache.org/jira/browse/ZOOKEEPER-2693\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Mitigation\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370%40%3Cdev.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-306\"}, {\"lang\": \"en\", \"value\": \"CWE-400\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2017-5637\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2017-10-10T01:30:22.360\",\"lastModified\":\"2024-11-21T03:28:04.187\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Two four letter word commands \\\"wchp/wchc\\\" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.\"},{\"lang\":\"es\",\"value\":\"Dos comandos con palabras de cuatro letras \\\"wchp/wchc\\\" provocan un gran consumo de CPU y podr\u00edan dar lugar a que se alcance el m\u00e1ximo uso de CPU en el servidor Apache ZooKeeper si se abusa de ellos, lo que da lugar a que el servidor quede deshabilitado para servir a peticiones de clientes leg\u00edtimos. Las versiones de la 3.4.9 a la 3.5.2 de Apache ZooKeeper tienen este problema, que fue solucionado en las versiones 3.4.10, 3.5.3 y posteriores.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"},{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:zookeeper:3.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F0E65AF7-9D19-4B31-9BE0-4EB07B2853F9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:zookeeper:3.4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"98FFE2B9-6744-4198-946E-89D78EC5E72C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:zookeeper:3.4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"075AF151-A8A1-48BC-BD8B-E123ACAD5A02\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:zookeeper:3.4.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AF7A6DB3-2F19-4155-B019-2325A3D1186F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:zookeeper:3.4.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7346C4C9-7788-4686-A9D3-0225CA1A5B39\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:zookeeper:3.4.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2BA6B730-25E1-489D-BBB7-18F9251EF20D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:zookeeper:3.4.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7DCF90EA-9BD7-42FE-A1C2-0C04D53543DC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:zookeeper:3.4.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6E981E8B-0BEF-4644-919F-0BF7549D70E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:zookeeper:3.4.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"10957A4F-4A07-4777-A92B-525C0AF9D99C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:zookeeper:3.4.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2732FE0E-9F19-46BE-BE05-3DF6ED7AC222\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:zookeeper:3.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C6BC9FC3-2BFE-40D1-A647-801AC49CA0E0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:zookeeper:3.5.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"31DA0549-5FD8-427E-995F-49B26854CB47\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:zookeeper:3.5.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A7974A08-51CA-4E28-A914-F2C5173E0C76\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}]}]}],\"references\":[{\"url\":\"http://www.debian.org/security/2017/dsa-3871\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/98814\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2477\",\"source\":\"security@apache.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:3354\",\"source\":\"security@apache.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:3355\",\"source\":\"security@apache.org\"},{\"url\":\"https://issues.apache.org/jira/browse/ZOOKEEPER-2693\",\"source\":\"security@apache.org\",\"tags\":[\"Issue Tracking\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370%40%3Cdev.zookeeper.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://www.oracle.com//security-alerts/cpujul2021.html\",\"source\":\"security@apache.org\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2020.html\",\"source\":\"security@apache.org\"},{\"url\":\"http://www.debian.org/security/2017/dsa-3871\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/98814\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2477\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:3354\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:3355\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://issues.apache.org/jira/browse/ZOOKEEPER-2693\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370%40%3Cdev.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com//security-alerts/cpujul2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
cve-2017-5637
Vulnerability from fkie_nvd
Published
2017-10-10 01:30
Modified
2024-11-21 03:28
Severity ?
Summary
Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | zookeeper | 3.4.0 | |
| apache | zookeeper | 3.4.1 | |
| apache | zookeeper | 3.4.2 | |
| apache | zookeeper | 3.4.3 | |
| apache | zookeeper | 3.4.4 | |
| apache | zookeeper | 3.4.5 | |
| apache | zookeeper | 3.4.6 | |
| apache | zookeeper | 3.4.7 | |
| apache | zookeeper | 3.4.8 | |
| apache | zookeeper | 3.4.9 | |
| apache | zookeeper | 3.5.0 | |
| apache | zookeeper | 3.5.1 | |
| apache | zookeeper | 3.5.2 | |
| debian | debian_linux | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:zookeeper:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F0E65AF7-9D19-4B31-9BE0-4EB07B2853F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:zookeeper:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "98FFE2B9-6744-4198-946E-89D78EC5E72C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:zookeeper:3.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "075AF151-A8A1-48BC-BD8B-E123ACAD5A02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:zookeeper:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "AF7A6DB3-2F19-4155-B019-2325A3D1186F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:zookeeper:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7346C4C9-7788-4686-A9D3-0225CA1A5B39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:zookeeper:3.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2BA6B730-25E1-489D-BBB7-18F9251EF20D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:zookeeper:3.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "7DCF90EA-9BD7-42FE-A1C2-0C04D53543DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:zookeeper:3.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6E981E8B-0BEF-4644-919F-0BF7549D70E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:zookeeper:3.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "10957A4F-4A07-4777-A92B-525C0AF9D99C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:zookeeper:3.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2732FE0E-9F19-46BE-BE05-3DF6ED7AC222",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:zookeeper:3.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C6BC9FC3-2BFE-40D1-A647-801AC49CA0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:zookeeper:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "31DA0549-5FD8-427E-995F-49B26854CB47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:zookeeper:3.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A7974A08-51CA-4E28-A914-F2C5173E0C76",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Two four letter word commands \"wchp/wchc\" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later."
},
{
"lang": "es",
"value": "Dos comandos con palabras de cuatro letras \"wchp/wchc\" provocan un gran consumo de CPU y podr\u00edan dar lugar a que se alcance el m\u00e1ximo uso de CPU en el servidor Apache ZooKeeper si se abusa de ellos, lo que da lugar a que el servidor quede deshabilitado para servir a peticiones de clientes leg\u00edtimos. Las versiones de la 3.4.9 a la 3.5.2 de Apache ZooKeeper tienen este problema, que fue solucionado en las versiones 3.4.10, 3.5.3 y posteriores."
}
],
"id": "CVE-2017-5637",
"lastModified": "2024-11-21T03:28:04.187",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-10T01:30:22.360",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2017/dsa-3871"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/98814"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2017:3354"
},
{
"source": "security@apache.org",
"url": "https://access.redhat.com/errata/RHSA-2017:3355"
},
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Mitigation",
"Vendor Advisory"
],
"url": "https://issues.apache.org/jira/browse/ZOOKEEPER-2693"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370%40%3Cdev.zookeeper.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"source": "security@apache.org",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2017/dsa-3871"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/98814"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:3354"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:3355"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Mitigation",
"Vendor Advisory"
],
"url": "https://issues.apache.org/jira/browse/ZOOKEEPER-2693"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370%40%3Cdev.zookeeper.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
},
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
rhsa-2017:3354
Vulnerability from csaf_redhat
Published
2017-11-30 16:47
Modified
2024-11-22 11:36
Summary
Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.7 security update
Notes
Topic
An update is now available for Red Hat JBoss BRMS.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.
This release of Red Hat JBoss BRMS 6.4.7 serves as a replacement for Red Hat JBoss BRMS 6.4.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing "wchp/wchc" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)
* It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. (CVE-2017-7545)
Red Hat would like to thank Man Yue Mo (Semmle) for reporting CVE-2017-7545.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss BRMS.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.4.7 serves as a replacement for Red Hat JBoss BRMS 6.4.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)\n\n* It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. (CVE-2017-7545)\n\nRed Hat would like to thank Man Yue Mo (Semmle) for reporting CVE-2017-7545.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:3354",
"url": "https://access.redhat.com/errata/RHSA-2017:3354"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=6.4",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=6.4"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en/red-hat-jboss-brms/",
"url": "https://access.redhat.com/documentation/en/red-hat-jboss-brms/"
},
{
"category": "external",
"summary": "1454808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
},
{
"category": "external",
"summary": "1474822",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1474822"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_3354.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.7 security update",
"tracking": {
"current_release_date": "2024-11-22T11:36:55+00:00",
"generator": {
"date": "2024-11-22T11:36:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:3354",
"initial_release_date": "2017-11-30T16:47:01+00:00",
"revision_history": [
{
"date": "2017-11-30T16:47:01+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-11-30T16:47:01+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T11:36:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BRMS 6.4",
"product": {
"name": "Red Hat JBoss BRMS 6.4",
"product_id": "Red Hat JBoss BRMS 6.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6.4"
}
}
}
],
"category": "product_family",
"name": "Red Hat Decision Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2017-5637",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2017-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1454808"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "zookeeper: Incorrect input validation with wchp/wchc four letter words",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5637"
},
{
"category": "external",
"summary": "RHBZ#1454808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5637",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5637"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637"
}
],
"release_date": "2017-02-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-11-30T16:47:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:3354"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "zookeeper: Incorrect input validation with wchp/wchc four letter words"
},
{
"acknowledgments": [
{
"names": [
"Man Yue Mo"
],
"organization": "Semmle"
}
],
"cve": "CVE-2017-7545",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2017-07-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1474822"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jbpmmigration: XXE vulnerability in XmlUtils",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7545"
},
{
"category": "external",
"summary": "RHBZ#1474822",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1474822"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7545",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7545"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7545",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7545"
}
],
"release_date": "2017-11-30T16:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-11-30T16:47:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:3354"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jbpmmigration: XXE vulnerability in XmlUtils"
}
]
}
rhsa-2017:2477
Vulnerability from csaf_redhat
Published
2017-08-15 15:07
Modified
2024-11-22 11:16
Summary
Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.3 Update 7 security update
Notes
Topic
An update is now available for Red Hat JBoss Data Virtualization.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.
This release of Red Hat JBoss Data Virtualization 6.3 Update 7 serves as a replacement for Red Hat JBoss Data Virtualization 6.3 Update 6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)
* A vulnerability was discovered in Apache Thrift client libraries that allows remote, authenticated attackers to cause an infinite recursion via vectors involving the skip function; resulting in a denial of service (DoS) condition. (CVE-2015-3254)
* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing "wchp/wchc" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)
Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Data Virtualization.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.\n\nThis release of Red Hat JBoss Data Virtualization 6.3 Update 7 serves as a replacement for Red Hat JBoss Data Virtualization 6.3 Update 6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)\n\n* A vulnerability was discovered in Apache Thrift client libraries that allows remote, authenticated attackers to cause an infinite recursion via vectors involving the skip function; resulting in a denial of service (DoS) condition. (CVE-2015-3254)\n\n* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2477",
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.3.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.3.0"
},
{
"category": "external",
"summary": "1454808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
},
{
"category": "external",
"summary": "1462702",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462702"
},
{
"category": "external",
"summary": "1462783",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462783"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2477.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.3 Update 7 security update",
"tracking": {
"current_release_date": "2024-11-22T11:16:52+00:00",
"generator": {
"date": "2024-11-22T11:16:52+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2477",
"initial_release_date": "2017-08-15T15:07:56+00:00",
"revision_history": [
{
"date": "2017-08-15T15:07:56+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-08-15T15:07:56+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T11:16:52+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Data Virtualization 6.3",
"product": {
"name": "Red Hat JBoss Data Virtualization 6.3",
"product_id": "Red Hat JBoss Data Virtualization 6.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_data_virtualization:6.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Data Virtualization"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-3254",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2017-06-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1462783"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in Apache Thrift client libraries that allows remote, authenticated attackers to cause an infinite recursion via vectors involving the skip function; resulting in a denial of service (DoS) condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "thrift: Infinite recursion via vectors involving the skip function",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-3254"
},
{
"category": "external",
"summary": "RHBZ#1462783",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462783"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-3254",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-3254"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-3254",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3254"
}
],
"release_date": "2015-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-15T15:07:56+00:00",
"details": "Before applying the update, back up your existing Red Hat JBoss Data Virtualization installation (including its databases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Data Virtualization server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "thrift: Infinite recursion via vectors involving the skip function"
},
{
"cve": "CVE-2017-5637",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2017-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1454808"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "zookeeper: Incorrect input validation with wchp/wchc four letter words",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5637"
},
{
"category": "external",
"summary": "RHBZ#1454808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5637",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5637"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637"
}
],
"release_date": "2017-02-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-15T15:07:56+00:00",
"details": "Before applying the update, back up your existing Red Hat JBoss Data Virtualization installation (including its databases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Data Virtualization server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "zookeeper: Incorrect input validation with wchp/wchc four letter words"
},
{
"acknowledgments": [
{
"names": [
"Liao Xinxi"
],
"organization": "NSFOCUS"
}
],
"cve": "CVE-2017-7525",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2017-06-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1462702"
}
],
"notes": [
{
"category": "description",
"text": "A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time:\n\nCandlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.\n\nHowever as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.\n\nJBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: \n\nhttps://access.redhat.com/solutions/3279231\n\nAlthough JBoss Fuse ships the vulnerable version of jackson-databind, it does not call on enableDefaultTyping() for any polymorphic deserialization operations which is the root cause of this vulnerability. We have raised a Jira tracker to ensure that jackson-databind will be upgraded for Fuse 7.0, however due to feasibility issues jackson-databind cannot be upgraded in JBoss Fuse 6.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7525"
},
{
"category": "external",
"summary": "RHBZ#1462702",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462702"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7525",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7525"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7525",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7525"
}
],
"release_date": "2017-07-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-15T15:07:56+00:00",
"details": "Before applying the update, back up your existing Red Hat JBoss Data Virtualization installation (including its databases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Data Virtualization server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
},
{
"category": "workaround",
"details": "Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper"
}
]
}
rhsa-2017_3354
Vulnerability from csaf_redhat
Published
2017-11-30 16:47
Modified
2024-11-22 11:36
Summary
Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.7 security update
Notes
Topic
An update is now available for Red Hat JBoss BRMS.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.
This release of Red Hat JBoss BRMS 6.4.7 serves as a replacement for Red Hat JBoss BRMS 6.4.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing "wchp/wchc" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)
* It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. (CVE-2017-7545)
Red Hat would like to thank Man Yue Mo (Semmle) for reporting CVE-2017-7545.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss BRMS.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.4.7 serves as a replacement for Red Hat JBoss BRMS 6.4.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)\n\n* It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. (CVE-2017-7545)\n\nRed Hat would like to thank Man Yue Mo (Semmle) for reporting CVE-2017-7545.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:3354",
"url": "https://access.redhat.com/errata/RHSA-2017:3354"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=6.4",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=6.4"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en/red-hat-jboss-brms/",
"url": "https://access.redhat.com/documentation/en/red-hat-jboss-brms/"
},
{
"category": "external",
"summary": "1454808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
},
{
"category": "external",
"summary": "1474822",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1474822"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_3354.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.7 security update",
"tracking": {
"current_release_date": "2024-11-22T11:36:55+00:00",
"generator": {
"date": "2024-11-22T11:36:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:3354",
"initial_release_date": "2017-11-30T16:47:01+00:00",
"revision_history": [
{
"date": "2017-11-30T16:47:01+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-11-30T16:47:01+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T11:36:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BRMS 6.4",
"product": {
"name": "Red Hat JBoss BRMS 6.4",
"product_id": "Red Hat JBoss BRMS 6.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6.4"
}
}
}
],
"category": "product_family",
"name": "Red Hat Decision Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2017-5637",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2017-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1454808"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "zookeeper: Incorrect input validation with wchp/wchc four letter words",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5637"
},
{
"category": "external",
"summary": "RHBZ#1454808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5637",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5637"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637"
}
],
"release_date": "2017-02-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-11-30T16:47:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:3354"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "zookeeper: Incorrect input validation with wchp/wchc four letter words"
},
{
"acknowledgments": [
{
"names": [
"Man Yue Mo"
],
"organization": "Semmle"
}
],
"cve": "CVE-2017-7545",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2017-07-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1474822"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jbpmmigration: XXE vulnerability in XmlUtils",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7545"
},
{
"category": "external",
"summary": "RHBZ#1474822",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1474822"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7545",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7545"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7545",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7545"
}
],
"release_date": "2017-11-30T16:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-11-30T16:47:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:3354"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jbpmmigration: XXE vulnerability in XmlUtils"
}
]
}
RHSA-2017:3355
Vulnerability from csaf_redhat
Published
2017-11-30 16:46
Modified
2024-11-22 11:36
Summary
Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.7 security update
Notes
Topic
An update is now available for Red Hat JBoss BPM Suite.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.
This release of Red Hat JBoss BPM Suite 6.4.7 serves as a replacement for Red Hat JBoss BPM Suite 6.4.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing "wchp/wchc" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)
* It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. (CVE-2017-7545)
Red Hat would like to thank Man Yue Mo (Semmle) for reporting CVE-2017-7545.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss BPM Suite.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.\n\nThis release of Red Hat JBoss BPM Suite 6.4.7 serves as a replacement for Red Hat JBoss BPM Suite 6.4.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)\n\n* It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. (CVE-2017-7545)\n\nRed Hat would like to thank Man Yue Mo (Semmle) for reporting CVE-2017-7545.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:3355",
"url": "https://access.redhat.com/errata/RHSA-2017:3355"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite\u0026downloadType=securityPatches\u0026version=6.4",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite\u0026downloadType=securityPatches\u0026version=6.4"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/",
"url": "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/"
},
{
"category": "external",
"summary": "1454808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
},
{
"category": "external",
"summary": "1474822",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1474822"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_3355.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.7 security update",
"tracking": {
"current_release_date": "2024-11-22T11:36:59+00:00",
"generator": {
"date": "2024-11-22T11:36:59+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:3355",
"initial_release_date": "2017-11-30T16:46:10+00:00",
"revision_history": [
{
"date": "2017-11-30T16:46:10+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-11-30T16:46:10+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T11:36:59+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BPMS 6.4",
"product": {
"name": "Red Hat JBoss BPMS 6.4",
"product_id": "Red Hat JBoss BPMS 6.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_bpms:6.4"
}
}
}
],
"category": "product_family",
"name": "Red Hat Process Automation Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2017-5637",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2017-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1454808"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "zookeeper: Incorrect input validation with wchp/wchc four letter words",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5637"
},
{
"category": "external",
"summary": "RHBZ#1454808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5637",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5637"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637"
}
],
"release_date": "2017-02-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-11-30T16:46:10+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:3355"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "zookeeper: Incorrect input validation with wchp/wchc four letter words"
},
{
"acknowledgments": [
{
"names": [
"Man Yue Mo"
],
"organization": "Semmle"
}
],
"cve": "CVE-2017-7545",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2017-07-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1474822"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jbpmmigration: XXE vulnerability in XmlUtils",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7545"
},
{
"category": "external",
"summary": "RHBZ#1474822",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1474822"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7545",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7545"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7545",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7545"
}
],
"release_date": "2017-11-30T16:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-11-30T16:46:10+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:3355"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jbpmmigration: XXE vulnerability in XmlUtils"
}
]
}
RHSA-2017:2477
Vulnerability from csaf_redhat
Published
2017-08-15 15:07
Modified
2024-11-22 11:16
Summary
Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.3 Update 7 security update
Notes
Topic
An update is now available for Red Hat JBoss Data Virtualization.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.
This release of Red Hat JBoss Data Virtualization 6.3 Update 7 serves as a replacement for Red Hat JBoss Data Virtualization 6.3 Update 6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)
* A vulnerability was discovered in Apache Thrift client libraries that allows remote, authenticated attackers to cause an infinite recursion via vectors involving the skip function; resulting in a denial of service (DoS) condition. (CVE-2015-3254)
* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing "wchp/wchc" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)
Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Data Virtualization.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.\n\nThis release of Red Hat JBoss Data Virtualization 6.3 Update 7 serves as a replacement for Red Hat JBoss Data Virtualization 6.3 Update 6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)\n\n* A vulnerability was discovered in Apache Thrift client libraries that allows remote, authenticated attackers to cause an infinite recursion via vectors involving the skip function; resulting in a denial of service (DoS) condition. (CVE-2015-3254)\n\n* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2477",
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.3.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.3.0"
},
{
"category": "external",
"summary": "1454808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
},
{
"category": "external",
"summary": "1462702",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462702"
},
{
"category": "external",
"summary": "1462783",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462783"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2477.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.3 Update 7 security update",
"tracking": {
"current_release_date": "2024-11-22T11:16:52+00:00",
"generator": {
"date": "2024-11-22T11:16:52+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2477",
"initial_release_date": "2017-08-15T15:07:56+00:00",
"revision_history": [
{
"date": "2017-08-15T15:07:56+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-08-15T15:07:56+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T11:16:52+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Data Virtualization 6.3",
"product": {
"name": "Red Hat JBoss Data Virtualization 6.3",
"product_id": "Red Hat JBoss Data Virtualization 6.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_data_virtualization:6.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Data Virtualization"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-3254",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2017-06-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1462783"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in Apache Thrift client libraries that allows remote, authenticated attackers to cause an infinite recursion via vectors involving the skip function; resulting in a denial of service (DoS) condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "thrift: Infinite recursion via vectors involving the skip function",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-3254"
},
{
"category": "external",
"summary": "RHBZ#1462783",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462783"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-3254",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-3254"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-3254",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3254"
}
],
"release_date": "2015-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-15T15:07:56+00:00",
"details": "Before applying the update, back up your existing Red Hat JBoss Data Virtualization installation (including its databases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Data Virtualization server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "thrift: Infinite recursion via vectors involving the skip function"
},
{
"cve": "CVE-2017-5637",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2017-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1454808"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "zookeeper: Incorrect input validation with wchp/wchc four letter words",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5637"
},
{
"category": "external",
"summary": "RHBZ#1454808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5637",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5637"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637"
}
],
"release_date": "2017-02-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-15T15:07:56+00:00",
"details": "Before applying the update, back up your existing Red Hat JBoss Data Virtualization installation (including its databases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Data Virtualization server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "zookeeper: Incorrect input validation with wchp/wchc four letter words"
},
{
"acknowledgments": [
{
"names": [
"Liao Xinxi"
],
"organization": "NSFOCUS"
}
],
"cve": "CVE-2017-7525",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2017-06-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1462702"
}
],
"notes": [
{
"category": "description",
"text": "A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time:\n\nCandlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.\n\nHowever as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.\n\nJBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: \n\nhttps://access.redhat.com/solutions/3279231\n\nAlthough JBoss Fuse ships the vulnerable version of jackson-databind, it does not call on enableDefaultTyping() for any polymorphic deserialization operations which is the root cause of this vulnerability. We have raised a Jira tracker to ensure that jackson-databind will be upgraded for Fuse 7.0, however due to feasibility issues jackson-databind cannot be upgraded in JBoss Fuse 6.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7525"
},
{
"category": "external",
"summary": "RHBZ#1462702",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462702"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7525",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7525"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7525",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7525"
}
],
"release_date": "2017-07-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-15T15:07:56+00:00",
"details": "Before applying the update, back up your existing Red Hat JBoss Data Virtualization installation (including its databases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Data Virtualization server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
},
{
"category": "workaround",
"details": "Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper"
}
]
}
rhsa-2017:3355
Vulnerability from csaf_redhat
Published
2017-11-30 16:46
Modified
2024-11-22 11:36
Summary
Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.7 security update
Notes
Topic
An update is now available for Red Hat JBoss BPM Suite.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.
This release of Red Hat JBoss BPM Suite 6.4.7 serves as a replacement for Red Hat JBoss BPM Suite 6.4.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing "wchp/wchc" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)
* It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. (CVE-2017-7545)
Red Hat would like to thank Man Yue Mo (Semmle) for reporting CVE-2017-7545.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss BPM Suite.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.\n\nThis release of Red Hat JBoss BPM Suite 6.4.7 serves as a replacement for Red Hat JBoss BPM Suite 6.4.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)\n\n* It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. (CVE-2017-7545)\n\nRed Hat would like to thank Man Yue Mo (Semmle) for reporting CVE-2017-7545.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:3355",
"url": "https://access.redhat.com/errata/RHSA-2017:3355"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite\u0026downloadType=securityPatches\u0026version=6.4",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite\u0026downloadType=securityPatches\u0026version=6.4"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/",
"url": "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/"
},
{
"category": "external",
"summary": "1454808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
},
{
"category": "external",
"summary": "1474822",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1474822"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_3355.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.7 security update",
"tracking": {
"current_release_date": "2024-11-22T11:36:59+00:00",
"generator": {
"date": "2024-11-22T11:36:59+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:3355",
"initial_release_date": "2017-11-30T16:46:10+00:00",
"revision_history": [
{
"date": "2017-11-30T16:46:10+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-11-30T16:46:10+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T11:36:59+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BPMS 6.4",
"product": {
"name": "Red Hat JBoss BPMS 6.4",
"product_id": "Red Hat JBoss BPMS 6.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_bpms:6.4"
}
}
}
],
"category": "product_family",
"name": "Red Hat Process Automation Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2017-5637",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2017-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1454808"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "zookeeper: Incorrect input validation with wchp/wchc four letter words",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5637"
},
{
"category": "external",
"summary": "RHBZ#1454808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5637",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5637"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637"
}
],
"release_date": "2017-02-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-11-30T16:46:10+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:3355"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "zookeeper: Incorrect input validation with wchp/wchc four letter words"
},
{
"acknowledgments": [
{
"names": [
"Man Yue Mo"
],
"organization": "Semmle"
}
],
"cve": "CVE-2017-7545",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2017-07-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1474822"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jbpmmigration: XXE vulnerability in XmlUtils",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7545"
},
{
"category": "external",
"summary": "RHBZ#1474822",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1474822"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7545",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7545"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7545",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7545"
}
],
"release_date": "2017-11-30T16:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-11-30T16:46:10+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:3355"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jbpmmigration: XXE vulnerability in XmlUtils"
}
]
}
rhsa-2017_2477
Vulnerability from csaf_redhat
Published
2017-08-15 15:07
Modified
2024-11-22 11:16
Summary
Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.3 Update 7 security update
Notes
Topic
An update is now available for Red Hat JBoss Data Virtualization.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.
This release of Red Hat JBoss Data Virtualization 6.3 Update 7 serves as a replacement for Red Hat JBoss Data Virtualization 6.3 Update 6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)
* A vulnerability was discovered in Apache Thrift client libraries that allows remote, authenticated attackers to cause an infinite recursion via vectors involving the skip function; resulting in a denial of service (DoS) condition. (CVE-2015-3254)
* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing "wchp/wchc" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)
Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Data Virtualization.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.\n\nThis release of Red Hat JBoss Data Virtualization 6.3 Update 7 serves as a replacement for Red Hat JBoss Data Virtualization 6.3 Update 6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)\n\n* A vulnerability was discovered in Apache Thrift client libraries that allows remote, authenticated attackers to cause an infinite recursion via vectors involving the skip function; resulting in a denial of service (DoS) condition. (CVE-2015-3254)\n\n* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2477",
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.3.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.3.0"
},
{
"category": "external",
"summary": "1454808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
},
{
"category": "external",
"summary": "1462702",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462702"
},
{
"category": "external",
"summary": "1462783",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462783"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2477.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.3 Update 7 security update",
"tracking": {
"current_release_date": "2024-11-22T11:16:52+00:00",
"generator": {
"date": "2024-11-22T11:16:52+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2477",
"initial_release_date": "2017-08-15T15:07:56+00:00",
"revision_history": [
{
"date": "2017-08-15T15:07:56+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-08-15T15:07:56+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T11:16:52+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Data Virtualization 6.3",
"product": {
"name": "Red Hat JBoss Data Virtualization 6.3",
"product_id": "Red Hat JBoss Data Virtualization 6.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_data_virtualization:6.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Data Virtualization"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-3254",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2017-06-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1462783"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in Apache Thrift client libraries that allows remote, authenticated attackers to cause an infinite recursion via vectors involving the skip function; resulting in a denial of service (DoS) condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "thrift: Infinite recursion via vectors involving the skip function",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-3254"
},
{
"category": "external",
"summary": "RHBZ#1462783",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462783"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-3254",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-3254"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-3254",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3254"
}
],
"release_date": "2015-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-15T15:07:56+00:00",
"details": "Before applying the update, back up your existing Red Hat JBoss Data Virtualization installation (including its databases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Data Virtualization server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "thrift: Infinite recursion via vectors involving the skip function"
},
{
"cve": "CVE-2017-5637",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2017-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1454808"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "zookeeper: Incorrect input validation with wchp/wchc four letter words",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5637"
},
{
"category": "external",
"summary": "RHBZ#1454808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5637",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5637"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637"
}
],
"release_date": "2017-02-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-15T15:07:56+00:00",
"details": "Before applying the update, back up your existing Red Hat JBoss Data Virtualization installation (including its databases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Data Virtualization server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "zookeeper: Incorrect input validation with wchp/wchc four letter words"
},
{
"acknowledgments": [
{
"names": [
"Liao Xinxi"
],
"organization": "NSFOCUS"
}
],
"cve": "CVE-2017-7525",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2017-06-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1462702"
}
],
"notes": [
{
"category": "description",
"text": "A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time:\n\nCandlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.\n\nHowever as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.\n\nJBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: \n\nhttps://access.redhat.com/solutions/3279231\n\nAlthough JBoss Fuse ships the vulnerable version of jackson-databind, it does not call on enableDefaultTyping() for any polymorphic deserialization operations which is the root cause of this vulnerability. We have raised a Jira tracker to ensure that jackson-databind will be upgraded for Fuse 7.0, however due to feasibility issues jackson-databind cannot be upgraded in JBoss Fuse 6.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7525"
},
{
"category": "external",
"summary": "RHBZ#1462702",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462702"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7525",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7525"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7525",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7525"
}
],
"release_date": "2017-07-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-15T15:07:56+00:00",
"details": "Before applying the update, back up your existing Red Hat JBoss Data Virtualization installation (including its databases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Data Virtualization server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
},
{
"category": "workaround",
"details": "Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper"
}
]
}
RHSA-2017:3354
Vulnerability from csaf_redhat
Published
2017-11-30 16:47
Modified
2024-11-22 11:36
Summary
Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.7 security update
Notes
Topic
An update is now available for Red Hat JBoss BRMS.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.
This release of Red Hat JBoss BRMS 6.4.7 serves as a replacement for Red Hat JBoss BRMS 6.4.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing "wchp/wchc" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)
* It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. (CVE-2017-7545)
Red Hat would like to thank Man Yue Mo (Semmle) for reporting CVE-2017-7545.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss BRMS.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.4.7 serves as a replacement for Red Hat JBoss BRMS 6.4.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)\n\n* It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. (CVE-2017-7545)\n\nRed Hat would like to thank Man Yue Mo (Semmle) for reporting CVE-2017-7545.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:3354",
"url": "https://access.redhat.com/errata/RHSA-2017:3354"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=6.4",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms\u0026downloadType=securityPatches\u0026version=6.4"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en/red-hat-jboss-brms/",
"url": "https://access.redhat.com/documentation/en/red-hat-jboss-brms/"
},
{
"category": "external",
"summary": "1454808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
},
{
"category": "external",
"summary": "1474822",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1474822"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_3354.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.7 security update",
"tracking": {
"current_release_date": "2024-11-22T11:36:55+00:00",
"generator": {
"date": "2024-11-22T11:36:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:3354",
"initial_release_date": "2017-11-30T16:47:01+00:00",
"revision_history": [
{
"date": "2017-11-30T16:47:01+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-11-30T16:47:01+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T11:36:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BRMS 6.4",
"product": {
"name": "Red Hat JBoss BRMS 6.4",
"product_id": "Red Hat JBoss BRMS 6.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6.4"
}
}
}
],
"category": "product_family",
"name": "Red Hat Decision Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2017-5637",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2017-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1454808"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "zookeeper: Incorrect input validation with wchp/wchc four letter words",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5637"
},
{
"category": "external",
"summary": "RHBZ#1454808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5637",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5637"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637"
}
],
"release_date": "2017-02-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-11-30T16:47:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:3354"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "zookeeper: Incorrect input validation with wchp/wchc four letter words"
},
{
"acknowledgments": [
{
"names": [
"Man Yue Mo"
],
"organization": "Semmle"
}
],
"cve": "CVE-2017-7545",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2017-07-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1474822"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jbpmmigration: XXE vulnerability in XmlUtils",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BRMS 6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7545"
},
{
"category": "external",
"summary": "RHBZ#1474822",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1474822"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7545",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7545"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7545",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7545"
}
],
"release_date": "2017-11-30T16:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-11-30T16:47:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BRMS 6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:3354"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss BRMS 6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jbpmmigration: XXE vulnerability in XmlUtils"
}
]
}
rhsa-2017_3355
Vulnerability from csaf_redhat
Published
2017-11-30 16:46
Modified
2024-11-22 11:36
Summary
Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.7 security update
Notes
Topic
An update is now available for Red Hat JBoss BPM Suite.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.
This release of Red Hat JBoss BPM Suite 6.4.7 serves as a replacement for Red Hat JBoss BPM Suite 6.4.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing "wchp/wchc" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)
* It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. (CVE-2017-7545)
Red Hat would like to thank Man Yue Mo (Semmle) for reporting CVE-2017-7545.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss BPM Suite.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.\n\nThis release of Red Hat JBoss BPM Suite 6.4.7 serves as a replacement for Red Hat JBoss BPM Suite 6.4.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests. (CVE-2017-5637)\n\n* It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. (CVE-2017-7545)\n\nRed Hat would like to thank Man Yue Mo (Semmle) for reporting CVE-2017-7545.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:3355",
"url": "https://access.redhat.com/errata/RHSA-2017:3355"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite\u0026downloadType=securityPatches\u0026version=6.4",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite\u0026downloadType=securityPatches\u0026version=6.4"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/",
"url": "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/"
},
{
"category": "external",
"summary": "1454808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
},
{
"category": "external",
"summary": "1474822",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1474822"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_3355.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.7 security update",
"tracking": {
"current_release_date": "2024-11-22T11:36:59+00:00",
"generator": {
"date": "2024-11-22T11:36:59+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:3355",
"initial_release_date": "2017-11-30T16:46:10+00:00",
"revision_history": [
{
"date": "2017-11-30T16:46:10+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-11-30T16:46:10+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T11:36:59+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss BPMS 6.4",
"product": {
"name": "Red Hat JBoss BPMS 6.4",
"product_id": "Red Hat JBoss BPMS 6.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_bpms:6.4"
}
}
}
],
"category": "product_family",
"name": "Red Hat Process Automation Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2017-5637",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2017-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1454808"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was discovered in ZooKeeper which allows an attacker to dramatically increase CPU utilization by abusing \"wchp/wchc\" commands, leading to the server being unable to serve legitimate requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "zookeeper: Incorrect input validation with wchp/wchc four letter words",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5637"
},
{
"category": "external",
"summary": "RHBZ#1454808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1454808"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5637",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5637"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637"
}
],
"release_date": "2017-02-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-11-30T16:46:10+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:3355"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "zookeeper: Incorrect input validation with wchp/wchc four letter words"
},
{
"acknowledgments": [
{
"names": [
"Man Yue Mo"
],
"organization": "Semmle"
}
],
"cve": "CVE-2017-7545",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2017-07-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1474822"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jbpmmigration: XXE vulnerability in XmlUtils",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss BPMS 6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7545"
},
{
"category": "external",
"summary": "RHBZ#1474822",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1474822"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7545",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7545"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7545",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7545"
}
],
"release_date": "2017-11-30T16:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-11-30T16:46:10+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss BPMS 6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:3355"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss BPMS 6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jbpmmigration: XXE vulnerability in XmlUtils"
}
]
}
WID-SEC-W-2022-0770
Vulnerability from csaf_certbund
Published
2020-04-23 22:00
Modified
2024-05-16 22:00
Summary
IBM DB2: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM DB2 ausnutzen, um seine Privilegien zu erhöhen oder einen Denial of Service zu verursachen
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM DB2 ausnutzen, um seine Privilegien zu erh\u00f6hen oder einen Denial of Service zu verursachen",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2022-0770 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2022-0770.json"
},
{
"category": "self",
"summary": "WID-SEC-2022-0770 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0770"
},
{
"category": "external",
"summary": "IBM Security Bulletin 6198380 vom 2020-04-23",
"url": "https://www.ibm.com/support/pages/node/6198380"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:2603 vom 2020-06-17",
"url": "https://access.redhat.com/errata/RHSA-2020:2603"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:4807 vom 2020-11-04",
"url": "https://access.redhat.com/errata/RHSA-2020:4807"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:3225 vom 2021-08-20",
"url": "https://access.redhat.com/errata/RHSA-2021:3225"
},
{
"category": "external",
"summary": "Hitachi Vulnerability Information HITACHI-SEC-2022-115 vom 2022-05-27",
"url": "https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2022-115/index.html"
},
{
"category": "external",
"summary": "IBM Security Bulletin 6605881 vom 2022-07-21",
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-have-been-identified-in-ibm-db2-shipped-with-ibm-puredata-system-for-operational-analytics/"
},
{
"category": "external",
"summary": "Dell Security Advisory DSA-2024-070 vom 2024-02-03",
"url": "https://www.dell.com/support/kbdoc/000221770/dsa-2024-="
},
{
"category": "external",
"summary": "Hitachi Vulnerability Information HITACHI-SEC-2023-144 vom 2023-10-03",
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-144/index.html"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7153639 vom 2024-05-17",
"url": "https://www.ibm.com/support/pages/node/7153639"
}
],
"source_lang": "en-US",
"title": "IBM DB2: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2024-05-16T22:00:00.000+00:00",
"generator": {
"date": "2024-05-17T08:33:37.793+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.0"
}
},
"id": "WID-SEC-W-2022-0770",
"initial_release_date": "2020-04-23T22:00:00.000+00:00",
"revision_history": [
{
"date": "2020-04-23T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2020-06-17T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2020-11-03T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2021-08-19T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2022-05-26T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von HITACHI aufgenommen"
},
{
"date": "2022-07-20T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2023-10-03T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von HITACHI aufgenommen"
},
{
"date": "2024-02-04T23:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Dell aufgenommen"
},
{
"date": "2024-05-16T22:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "9"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "EMC Avamar",
"product": {
"name": "EMC Avamar",
"product_id": "T014381",
"product_identification_helper": {
"cpe": "cpe:/a:emc:avamar:-"
}
}
}
],
"category": "vendor",
"name": "EMC"
},
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Hitachi Ops Center",
"product": {
"name": "Hitachi Ops Center",
"product_id": "T017562",
"product_identification_helper": {
"cpe": "cpe:/a:hitachi:ops_center:-"
}
}
},
{
"category": "product_version_range",
"name": "\u003cAnalyzer 10.9.3-00",
"product": {
"name": "Hitachi Ops Center \u003cAnalyzer 10.9.3-00",
"product_id": "T030196",
"product_identification_helper": {
"cpe": "cpe:/a:hitachi:ops_center:analyzer_10.9.3-00"
}
}
},
{
"category": "product_version_range",
"name": "\u003cViewpoint 10.9.3-00",
"product": {
"name": "Hitachi Ops Center \u003cViewpoint 10.9.3-00",
"product_id": "T030197",
"product_identification_helper": {
"cpe": "cpe:/a:hitachi:ops_center:viewpoint_10.9.3-00"
}
}
}
],
"category": "product_name",
"name": "Ops Center"
}
],
"category": "vendor",
"name": "Hitachi"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "11.1",
"product": {
"name": "IBM DB2 11.1",
"product_id": "342000",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:db2:11.1"
}
}
},
{
"category": "product_version",
"name": "11.5",
"product": {
"name": "IBM DB2 11.5",
"product_id": "695419",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:db2:11.5"
}
}
}
],
"category": "product_name",
"name": "DB2"
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2009-0001",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2009-0001"
},
{
"cve": "CVE-2014-0114",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2014-0114"
},
{
"cve": "CVE-2014-0193",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2014-0193"
},
{
"cve": "CVE-2014-3488",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2014-3488"
},
{
"cve": "CVE-2015-2156",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2015-2156"
},
{
"cve": "CVE-2016-2402",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2016-2402"
},
{
"cve": "CVE-2017-12972",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2017-12972"
},
{
"cve": "CVE-2017-12973",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2017-12973"
},
{
"cve": "CVE-2017-12974",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2017-12974"
},
{
"cve": "CVE-2017-18640",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2017-18640"
},
{
"cve": "CVE-2017-3734",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2017-3734"
},
{
"cve": "CVE-2017-5637",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2017-5637"
},
{
"cve": "CVE-2018-10237",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2018-10237"
},
{
"cve": "CVE-2018-11771",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2018-11771"
},
{
"cve": "CVE-2018-8009",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2018-8009"
},
{
"cve": "CVE-2018-8012",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2018-8012"
},
{
"cve": "CVE-2019-0201",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-0201"
},
{
"cve": "CVE-2019-10086",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-10086"
},
{
"cve": "CVE-2019-10172",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-10172"
},
{
"cve": "CVE-2019-10202",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-10202"
},
{
"cve": "CVE-2019-12402",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-12402"
},
{
"cve": "CVE-2019-16869",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-16869"
},
{
"cve": "CVE-2019-17195",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-17195"
},
{
"cve": "CVE-2019-17571",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-17571"
},
{
"cve": "CVE-2019-9512",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-9512"
},
{
"cve": "CVE-2019-9514",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-9514"
},
{
"cve": "CVE-2019-9515",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-9515"
},
{
"cve": "CVE-2019-9518",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-9518"
}
]
}
wid-sec-w-2022-0770
Vulnerability from csaf_certbund
Published
2020-04-23 22:00
Modified
2024-05-16 22:00
Summary
IBM DB2: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM DB2 ausnutzen, um seine Privilegien zu erhöhen oder einen Denial of Service zu verursachen
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "IBM DB2 ist ein relationales Datenbanksystem (RDBS) von IBM.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM DB2 ausnutzen, um seine Privilegien zu erh\u00f6hen oder einen Denial of Service zu verursachen",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2022-0770 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2022-0770.json"
},
{
"category": "self",
"summary": "WID-SEC-2022-0770 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0770"
},
{
"category": "external",
"summary": "IBM Security Bulletin 6198380 vom 2020-04-23",
"url": "https://www.ibm.com/support/pages/node/6198380"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:2603 vom 2020-06-17",
"url": "https://access.redhat.com/errata/RHSA-2020:2603"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:4807 vom 2020-11-04",
"url": "https://access.redhat.com/errata/RHSA-2020:4807"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:3225 vom 2021-08-20",
"url": "https://access.redhat.com/errata/RHSA-2021:3225"
},
{
"category": "external",
"summary": "Hitachi Vulnerability Information HITACHI-SEC-2022-115 vom 2022-05-27",
"url": "https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2022-115/index.html"
},
{
"category": "external",
"summary": "IBM Security Bulletin 6605881 vom 2022-07-21",
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-have-been-identified-in-ibm-db2-shipped-with-ibm-puredata-system-for-operational-analytics/"
},
{
"category": "external",
"summary": "Dell Security Advisory DSA-2024-070 vom 2024-02-03",
"url": "https://www.dell.com/support/kbdoc/000221770/dsa-2024-="
},
{
"category": "external",
"summary": "Hitachi Vulnerability Information HITACHI-SEC-2023-144 vom 2023-10-03",
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-144/index.html"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7153639 vom 2024-05-17",
"url": "https://www.ibm.com/support/pages/node/7153639"
}
],
"source_lang": "en-US",
"title": "IBM DB2: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2024-05-16T22:00:00.000+00:00",
"generator": {
"date": "2024-05-17T08:33:37.793+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.0"
}
},
"id": "WID-SEC-W-2022-0770",
"initial_release_date": "2020-04-23T22:00:00.000+00:00",
"revision_history": [
{
"date": "2020-04-23T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2020-06-17T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2020-11-03T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2021-08-19T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2022-05-26T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von HITACHI aufgenommen"
},
{
"date": "2022-07-20T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2023-10-03T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von HITACHI aufgenommen"
},
{
"date": "2024-02-04T23:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Dell aufgenommen"
},
{
"date": "2024-05-16T22:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "9"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "EMC Avamar",
"product": {
"name": "EMC Avamar",
"product_id": "T014381",
"product_identification_helper": {
"cpe": "cpe:/a:emc:avamar:-"
}
}
}
],
"category": "vendor",
"name": "EMC"
},
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Hitachi Ops Center",
"product": {
"name": "Hitachi Ops Center",
"product_id": "T017562",
"product_identification_helper": {
"cpe": "cpe:/a:hitachi:ops_center:-"
}
}
},
{
"category": "product_version_range",
"name": "\u003cAnalyzer 10.9.3-00",
"product": {
"name": "Hitachi Ops Center \u003cAnalyzer 10.9.3-00",
"product_id": "T030196",
"product_identification_helper": {
"cpe": "cpe:/a:hitachi:ops_center:analyzer_10.9.3-00"
}
}
},
{
"category": "product_version_range",
"name": "\u003cViewpoint 10.9.3-00",
"product": {
"name": "Hitachi Ops Center \u003cViewpoint 10.9.3-00",
"product_id": "T030197",
"product_identification_helper": {
"cpe": "cpe:/a:hitachi:ops_center:viewpoint_10.9.3-00"
}
}
}
],
"category": "product_name",
"name": "Ops Center"
}
],
"category": "vendor",
"name": "Hitachi"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "11.1",
"product": {
"name": "IBM DB2 11.1",
"product_id": "342000",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:db2:11.1"
}
}
},
{
"category": "product_version",
"name": "11.5",
"product": {
"name": "IBM DB2 11.5",
"product_id": "695419",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:db2:11.5"
}
}
}
],
"category": "product_name",
"name": "DB2"
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2009-0001",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2009-0001"
},
{
"cve": "CVE-2014-0114",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2014-0114"
},
{
"cve": "CVE-2014-0193",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2014-0193"
},
{
"cve": "CVE-2014-3488",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2014-3488"
},
{
"cve": "CVE-2015-2156",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2015-2156"
},
{
"cve": "CVE-2016-2402",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2016-2402"
},
{
"cve": "CVE-2017-12972",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2017-12972"
},
{
"cve": "CVE-2017-12973",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2017-12973"
},
{
"cve": "CVE-2017-12974",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2017-12974"
},
{
"cve": "CVE-2017-18640",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2017-18640"
},
{
"cve": "CVE-2017-3734",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2017-3734"
},
{
"cve": "CVE-2017-5637",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2017-5637"
},
{
"cve": "CVE-2018-10237",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2018-10237"
},
{
"cve": "CVE-2018-11771",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2018-11771"
},
{
"cve": "CVE-2018-8009",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2018-8009"
},
{
"cve": "CVE-2018-8012",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2018-8012"
},
{
"cve": "CVE-2019-0201",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-0201"
},
{
"cve": "CVE-2019-10086",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-10086"
},
{
"cve": "CVE-2019-10172",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-10172"
},
{
"cve": "CVE-2019-10202",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-10202"
},
{
"cve": "CVE-2019-12402",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-12402"
},
{
"cve": "CVE-2019-16869",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-16869"
},
{
"cve": "CVE-2019-17195",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-17195"
},
{
"cve": "CVE-2019-17571",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-17571"
},
{
"cve": "CVE-2019-9512",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-9512"
},
{
"cve": "CVE-2019-9514",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-9514"
},
{
"cve": "CVE-2019-9515",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-9515"
},
{
"cve": "CVE-2019-9518",
"notes": [
{
"category": "description",
"text": "In IBM DB2 existieren mehrere Schwachstellen in abh\u00e4ngigen Bibliotheken. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen oder seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T014381",
"342000",
"67646",
"695419",
"T030196",
"T017562",
"T030197"
]
},
"release_date": "2020-04-23T22:00:00Z",
"title": "CVE-2019-9518"
}
]
}
ghsa-7cwj-j333-x7f7
Vulnerability from github
Published
2022-05-13 01:08
Modified
2022-07-01 16:58
Severity ?
Summary
Uncontrolled Resource Consumption in Apache ZooKeeper
Details
Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.4.9"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.zookeeper:zookeeper"
},
"ranges": [
{
"events": [
{
"introduced": "3.4.0"
},
{
"fixed": "3.4.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.5.2"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.zookeeper:zookeeper"
},
"ranges": [
{
"events": [
{
"introduced": "3.5.0"
},
{
"fixed": "3.5.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-5637"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-01T16:58:11Z",
"nvd_published_at": "2017-10-10T01:30:00Z",
"severity": "HIGH"
},
"details": "Two four letter word commands \"wchp/wchc\" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.",
"id": "GHSA-7cwj-j333-x7f7",
"modified": "2022-07-01T16:58:11Z",
"published": "2022-05-13T01:08:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3354"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3355"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/ZOOKEEPER-2693"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3871"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98814"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncontrolled Resource Consumption in Apache ZooKeeper"
}
gsd-2017-5637
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2017-5637",
"description": "Two four letter word commands \"wchp/wchc\" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.",
"id": "GSD-2017-5637",
"references": [
"https://www.suse.com/security/cve/CVE-2017-5637.html",
"https://www.debian.org/security/2017/dsa-3871",
"https://access.redhat.com/errata/RHSA-2017:3355",
"https://access.redhat.com/errata/RHSA-2017:3354",
"https://access.redhat.com/errata/RHSA-2017:2477",
"https://ubuntu.com/security/CVE-2017-5637"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2017-5637"
],
"details": "Two four letter word commands \"wchp/wchc\" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.",
"id": "GSD-2017-5637",
"modified": "2023-12-13T01:21:13.917730Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-10-09T00:00:00",
"ID": "CVE-2017-5637",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ZooKeeper",
"version": {
"version_data": [
{
"version_value": "3.4.0 to 3.4.9"
},
{
"version_value": "3.5.0 to 3.5.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Two four letter word commands \"wchp/wchc\" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "DOS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20171009 [SECURITY] CVE-2017-5637: DOS attack on wchp/wchc four letter words (4lw)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "98814",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/98814"
},
{
"name": "RHSA-2017:3355",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:3355"
},
{
"name": "RHSA-2017:3354",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:3354"
},
{
"name": "RHSA-2017:2477",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
},
{
"name": "DSA-3871",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3871"
},
{
"name": "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E"
},
{
"name": "[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E"
},
{
"name": "[nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://issues.apache.org/jira/browse/ZOOKEEPER-2693",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/browse/ZOOKEEPER-2693"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "[3.4.0,3.4.9],[3.5.0,3.5.2]",
"affected_versions": "All versions starting from 3.4.0 up to 3.4.9, all versions starting from 3.5.0 up to 3.5.2",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-306",
"CWE-400",
"CWE-937"
],
"date": "2019-10-03",
"description": "Two `wchp` and `wchc` commands are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests.",
"fixed_versions": [
"3.4.10",
"3.5.3"
],
"identifier": "CVE-2017-5637",
"identifiers": [
"CVE-2017-5637"
],
"not_impacted": "All versions before 3.4.0, all versions after 3.4.9 before 3.5.0, all versions after 3.5.2",
"package_slug": "maven/org.apache.zookeeper/zookeeper",
"pubdate": "2017-10-10",
"solution": "Upgrade to versions 3.4.10, 3.5.3 or above.",
"title": "Missing Authentication for Critical Function",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2017-5637",
"http://www.securityfocus.com/bid/98814",
"https://issues.apache.org/jira/browse/ZOOKEEPER-2693"
],
"uuid": "eba1af28-547c-4137-a5da-46446b50b280"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.4.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.4.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.5.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.4.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.4.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.4.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.4.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.4.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.5.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.4.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.4.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:zookeeper:3.4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2017-5637"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Two four letter word commands \"wchp/wchc\" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
},
{
"lang": "en",
"value": "CWE-306"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20171009 [SECURITY] CVE-2017-5637: DOS attack on wchp/wchc four letter words (4lw)",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "https://issues.apache.org/jira/browse/ZOOKEEPER-2693",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Mitigation",
"Vendor Advisory"
],
"url": "https://issues.apache.org/jira/browse/ZOOKEEPER-2693"
},
{
"name": "98814",
"refsource": "BID",
"tags": [
"VDB Entry",
"Third Party Advisory"
],
"url": "http://www.securityfocus.com/bid/98814"
},
{
"name": "DSA-3871",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2017/dsa-3871"
},
{
"name": "RHSA-2017:3355",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2017:3355"
},
{
"name": "RHSA-2017:3354",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2017:3354"
},
{
"name": "RHSA-2017:2477",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2017:2477"
},
{
"name": "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E"
},
{
"name": "[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E"
},
{
"name": "[nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"tags": [],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "N/A",
"refsource": "N/A",
"tags": [],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2021-07-20T23:15Z",
"publishedDate": "2017-10-10T01:30Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.