Action not permitted
Modal body text goes here.
cve-2021-4104
Vulnerability from cvelistv5
▼ | Vendor | Product |
---|---|---|
Apache Software Foundation | Apache Log4j 1.x |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T17:16:04.172Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "tags": [ "x_transferred" ], "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "tags": [ "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "name": "VU#930724", "tags": [ "third-party-advisory", "x_transferred" ], "url": "https://www.kb.cert.org/vuls/id/930724" }, { "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_transferred" ], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20211223-0007/" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "name": "GLSA-202209-02", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202209-02" }, { "name": "GLSA-202310-16", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202310-16" }, { "name": "GLSA-202312-02", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202312-02" }, { "name": "GLSA-202312-04", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202312-04" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache Log4j 1.x", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "Apache Log4j 1.2 1.2.x" } ] } ], "descriptions": [ { "lang": "en", "value": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-12-22T09:06:15.357899", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "name": "VU#930724", "tags": [ "third-party-advisory" ], "url": "https://www.kb.cert.org/vuls/id/930724" }, { "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3" }, { "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033" }, { "url": "https://security.netapp.com/advisory/ntap-20211223-0007/" }, { "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "name": "GLSA-202209-02", "tags": [ "vendor-advisory" ], "url": "https://security.gentoo.org/glsa/202209-02" }, { "name": "GLSA-202310-16", "tags": [ "vendor-advisory" ], "url": "https://security.gentoo.org/glsa/202310-16" }, { "name": "GLSA-202312-02", "tags": [ "vendor-advisory" ], "url": "https://security.gentoo.org/glsa/202312-02" }, { "name": "GLSA-202312-04", "tags": [ "vendor-advisory" ], "url": "https://security.gentoo.org/glsa/202312-04" } ], "source": { "discovery": "UNKNOWN" }, "title": "Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2", "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-4104", "datePublished": "2021-12-14T00:00:00", "dateReserved": "2021-12-13T00:00:00", "dateUpdated": "2024-08-03T17:16:04.172Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2021-4104\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2021-12-14T12:15:12.200\",\"lastModified\":\"2023-12-22T09:15:36.510\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.\"},{\"lang\":\"es\",\"value\":\"JMSAppender en Log4j versi\u00f3n 1.2 es vulnerable a una deserializaci\u00f3n de datos no confiables cuando el atacante presenta acceso de escritura a la configuraci\u00f3n de Log4j. El atacante puede proporcionar configuraciones TopicBindingName y TopicConnectionFactoryBindingName haciendo que JMSAppender realice peticiones JNDI que resulten en la ejecuci\u00f3n de c\u00f3digo remota de forma similar a CVE-2021-44228. Tenga en cuenta que este problema s\u00f3lo afecta a Log4j versi\u00f3n 1.2 cuando es configurado espec\u00edficamente para usar JMSAppender, que no es el predeterminado. Apache Log4j versi\u00f3n 1.2 lleg\u00f3 al final de su vida \u00fatil en agosto de 2015. Los usuarios deber\u00edan actualizar a Log4j 2 ya que aborda otros numerosos problemas de las versiones anteriores\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":6.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":6.8,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]},{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:log4j:1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2954BDA9-F03D-44AC-A9EA-3E89036EEFA8\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:codeready_studio:12.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1BAF877F-B8D5-4313-AC5C-26BB82006B30\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B87C8AD3-8878-4546-86C2-BF411876648C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:integration_camel_quarkus:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F039C746-2001-4EE5-835F-49607A94F12B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_a-mq:6.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"33C4404A-CFB7-4B47-9487-F998825C31CA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_a-mq:7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A58966CB-36AF-4E64-AB39-BE3A0753E155\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_a-mq_streaming:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8C7257E5-B4A7-4299-8FE1-A94121E47528\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CD354E32-A8B0-484C-B4C6-9FBCD3430D2D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_data_virtualization:6.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5CDDAFDB-E67A-4795-B2C4-C2D31734ABC8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B142ACCC-F7A9-4A3B-BE60-0D6691D5058D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"88BF3B2C-B121-483A-AEF2-8082F6DA5310\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A305F012-544E-4245-9D69-1C8CD37748B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B40CCE4F-EA2C-453D-BB76-6388767E5C6D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_fuse_service_works:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B78438D-1321-4BF4-AEB1-DAF60D589530\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_operations_network:3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C077D692-150C-4AE9-8C0B-7A3EA5EB1100\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_web_server:3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"54EB07A0-FB38-4F17-9C8D-DB629967F07B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A33441B3-B301-426C-A976-08CE5FE72EFB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6B62E762-2878-455A-93C9-A5DB430D7BB5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"14CF53D2-B585-4EA5-8F18-21BC9ECBB4B6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"91B493F0-5542-49F7-AAAE-E6CA6E468D7B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"20A6B40D-F991-4712-8E30-5FE008505CB7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"749804DA-4B27-492A-9ABA-6BB562A6B3AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F4CFF558-3C47-480D-A2F0-BABF26042943\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A62E2A25-1AD7-4B4B-9D1B-F0DEA4550557\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0331158C-BBE0-42DB-8180-EB1FCD290567\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"B602F9E8-1580-436C-A26D-6E6F8121A583\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"77C3DD16-1D81-40E1-B312-50FBD275507C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"81DAC8C0-D342-44B5-9432-6B88D389584F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E869C417-C0E6-4FC3-B406-45598A1D1906\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DFEFE2C0-7B98-44F9-B3AD-D6EC607E90DA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C68536CA-C7E2-4228-A6B8-F0DB6A9D29EC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E1214FDF-357A-4BB9-BADE-50FB2BD16D10\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B21E6EEF-2AB7-4E96-B092-1F49D11B4175\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_offline_mediation_controller:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"12.0.0.4.0\",\"matchCriteriaId\":\"28CDCE04-B074-4D7A-B6E4-48193458C9A0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5933FEA2-B79E-4EE7-B821-54D676B45734\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D299528-8EF0-49AF-9BDE-4B6C6B1DA36C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"17A91FD9-9F77-42D3-A4D9-48BC7568ADE1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A7637F8B-15F1-42E2-BE18-E1FF7C66587D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E43D793A-7756-4D58-A8ED-72DC4EC9CEA7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6ED0EE39-C080-4E75-AE0F-3859B57EF851\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D26F3E23-F1A9-45E7-9E5F-0C0A24EE3783\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6E8758C8-87D3-450A-878B-86CE8C9FC140\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"054B56E0-F11B-4939-B7E1-E722C67A041A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"250A493C-E052-4978-ABBE-786DC8038448\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E2B771B-230A-4811-94D7-065C2722E428\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:fusion_middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F17531CB-DE8A-4ACD-93A0-6A5A8481D51B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:goldengate:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"507E7AEE-C2FC-4EED-B0F7-5E41642C0BF7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:healthcare_data_repository:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"66C673C4-A825-46C0-816B-103E1C058D03\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"11.2.8.0\",\"matchCriteriaId\":\"E8E7FBA9-0FFF-4C86-B151-28C17A142E0B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"11.2.8.0\",\"matchCriteriaId\":\"55BBCD48-BCC6-4E19-A4CE-970E524B9FF4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1489DDA7-EDBE-404C-B48D-F0B52B741708\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"535BC19C-21A1-48E3-8CC0-B276BA5D494E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"228DA523-4D6D-48C5-BDB0-DB1A60F23F8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"8.0.29\",\"matchCriteriaId\":\"B0EBAC6D-D0CE-42A1-AEA0-2D50C8035747\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_allocation:14.1.3.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"51E83F05-B691-4450-BCA9-32209AEC4F6A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_allocation:15.0.3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"288235F9-2F9E-469A-BE14-9089D0782875\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_allocation:16.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6672F9C1-DA04-47F1-B699-C171511ACE38\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_allocation:19.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"11E57939-A543-44F7-942A-88690E39EABA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"30501D23-5044-477A-8DC3-7610126AEFD7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:stream_analytics:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0B45A731-11D1-433B-B202-9C8D67C609F9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:timesten_grid:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"900D9DBF-8071-4CE5-A67A-9E0C00D04B87\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EB7D0A30-3986-49AB-B7F3-DAE0024504BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A3ED272C-A545-4F8C-86C0-2736B3F2DCAF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C5B4C338-11E1-4235-9D5A-960B2711AC39\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8C93F84E-9680-44EF-8656-D27440B51698\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F14A818F-AA16-4438-A3E4-E64C9287AC66\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"04BCDC24-4A21-473C-8733-0D9CFB38A752\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2022/01/18/3\",\"source\":\"security@apache.org\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2021-4104\",\"source\":\"security@apache.org\"},{\"url\":\"https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126\",\"source\":\"security@apache.org\"},{\"url\":\"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033\",\"source\":\"security@apache.org\"},{\"url\":\"https://security.gentoo.org/glsa/202209-02\",\"source\":\"security@apache.org\"},{\"url\":\"https://security.gentoo.org/glsa/202310-16\",\"source\":\"security@apache.org\"},{\"url\":\"https://security.gentoo.org/glsa/202312-02\",\"source\":\"security@apache.org\"},{\"url\":\"https://security.gentoo.org/glsa/202312-04\",\"source\":\"security@apache.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20211223-0007/\",\"source\":\"security@apache.org\"},{\"url\":\"https://www.cve.org/CVERecord?id=CVE-2021-44228\",\"source\":\"security@apache.org\"},{\"url\":\"https://www.kb.cert.org/vuls/id/930724\",\"source\":\"security@apache.org\"},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2022.html\",\"source\":\"security@apache.org\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"security@apache.org\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"security@apache.org\"}]}}" } }
rhsa-2024_5856
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 7.\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.1.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.1.7 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* undertow: EAP: field-name is not parsed in accordance to RFC7230 [eap-7.1.z] (CVE-2020-1710)\n\n* commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default [eap-7.1.z] (CVE-2019-10086)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [eap-7.1.z] (CVE-2022-23302)\n\n* jackson-databind: default typing mishandling leading to remote code execution [eap-7.1.z] (CVE-2019-14379)\n\n* undertow: HTTP/2: flood using HEADERS frames results in unbounded memory growth [eap-7.1.z] (CVE-2019-9514)\n\n* undertow: AJP File Read/Inclusion Vulnerability [eap-7.1.z] (CVE-2020-1745)\n\n* undertow: HTTP/2: large amount of data requests leads to denial of service [eap-7.1.z] (CVE-2019-9511)\n\n* undertow: servletPath in normalized incorrectly leading to dangerous application mapping which could result in security bypass [eap-7.1.z] (CVE-2020-1757)\n\n* undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS [eap-7.1.z] (CVE-2019-14888)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer [eap-7.1.z] (CVE-2022-23307)\n\n* netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header [eap-7.1.z] (CVE-2019-20445)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [eap-7.1.z] (CVE-2021-4104)\n\n* undertow: HTTP/2: flood using SETTINGS frames results in unbounded memory growth [eap-7.1.z] (CVE-2019-9515)\n\n* infinispan-core: infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods [eap-7.1.z] (CVE-2019-10174)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [eap-7.1.z] (CVE-2022-23305)\n\n* jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution [eap-7.1.z] (CVE-2019-12384)\n\n* wildfly-security-manager: security manager authorization bypass (CVE-2019-14843)\n\n* HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)\n\n* netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)\n\n* jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)\n\n* netty: HTTP request smuggling (CVE-2019-20444)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2024:5856", "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1", "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1" }, { "category": "external", "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1/html-single/installation_guide/index", "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1/html-single/installation_guide/index" }, { "category": "external", "summary": "1703469", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1703469" }, { "category": "external", "summary": "1725807", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1725807" }, { "category": "external", "summary": "1735645", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735645" }, { "category": "external", "summary": "1735744", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735744" }, { "category": "external", "summary": "1735745", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735745" }, { "category": "external", "summary": "1737517", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737517" }, { "category": "external", "summary": "1741860", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1741860" }, { "category": "external", "summary": "1752770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752770" }, { "category": "external", "summary": "1752980", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752980" }, { "category": "external", "summary": "1758619", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758619" }, { "category": "external", "summary": "1767483", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1767483" }, { "category": "external", "summary": "1772464", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1772464" }, { "category": "external", "summary": "1775293", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1775293" }, { "category": "external", "summary": "1793970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793970" }, { "category": "external", "summary": "1798509", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798509" }, { "category": "external", "summary": "1798524", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798524" }, { "category": "external", "summary": "1807305", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1807305" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-24826", "url": "https://issues.redhat.com/browse/JBEAP-24826" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_5856.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.1.7 on RHEL 7 security update", "tracking": { "current_release_date": "2024-11-06T06:46:28+00:00", "generator": { "date": "2024-11-06T06:46:28+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2024:5856", "initial_release_date": "2024-08-26T11:05:47+00:00", "revision_history": [ { "date": "2024-08-26T11:05:47+00:00", "number": "1", "summary": "Initial version" }, { "date": "2024-08-26T11:05:47+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T06:46:28+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "product_id": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@1.4.18-12.SP12_redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "product_id": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-netty@4.1.45-1.Final_redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "product_id": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.1.13-1.Final_redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "product": { "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "product_id": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-commons-beanutils@1.9.4-1.redhat_00002.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "product_id": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "product": { "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "product_id": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.8.11.5-1.redhat_00001.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "product": { "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "product_id": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.1.7-2.GA_redhat_00002.1.ep7.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@1.4.18-12.SP12_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-netty@4.1.45-1.Final_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-netty-all@4.1.45-1.Final_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.1.13-1.Final_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "product": { "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "product_id": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-commons-beanutils@1.9.4-1.redhat_00002.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-jdbc@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-remote@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-client-hotrod@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-commons@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-core@8.2.11-1.SP2_redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "product": { "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "product_id": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.8.11.5-1.redhat_00001.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product": { "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product_id": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.1.7-2.GA_redhat_00002.1.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product": { "name": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product_id": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.1.7-2.GA_redhat_00002.1.ep7.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch" }, "product_reference": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src" }, "product_reference": "eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" }, "product_reference": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src" }, "product_reference": "eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch" }, "product_reference": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src" }, "product_reference": "eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server", "product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-7.1-EUS" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-9511", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-08-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1741860" } ], "notes": [ { "category": "description", "text": "A flaw was found in HTTP/2. An attacker can request a large amount of data by manipulating window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this queue can consume excess CPU, memory, or both, leading to a denial of service. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: large amount of data requests leads to denial of service", "title": "Vulnerability summary" }, { "category": "other", "text": "There are no mitigations available for nghttp2 and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-9511" }, { "category": "external", "summary": "RHBZ#1741860", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1741860" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9511", "url": "https://www.cve.org/CVERecord?id=CVE-2019-9511" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9511", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9511" }, { "category": "external", "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" }, { "category": "external", "summary": "https://kb.cert.org/vuls/id/605641/", "url": "https://kb.cert.org/vuls/id/605641/" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/" }, { "category": "external", "summary": "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/", "url": "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/" } ], "release_date": "2019-08-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "Red Hat Quay 3.0 uses Nginx 1.12 from Red Hat Software Collections. It will be updated once a fixed is released for Software Collections. In the meantime users of Quay can disable http/2 support in Nginx by following these instructions:\n\n1. Copy the Nginx configuration from the quay container to the host\n$ docker cp 3aadf1421ba3:/quay-registry/conf/nginx/ /mnt/quay/nginx\n\n2. Edit the Nginx configuration, removing http/2 support\n$ sed -i \u0027s/http2 //g\u0027 /mnt/quay/nginx/nginx.conf\n\n3. Restart Nginx with the new configuration mounted into the container, eg:\n$ docker run --restart=always -p 443:8443 -p 80:8080 --sysctl net.core.somaxconn=4096 -v /mnt/quay/config:/conf/stack:Z -v /mnt/quay/storage:/datastorage -v /mnt/quay/nginx:/quay-registry/config/nginx:Z -d quay.io/redhat/quay:v3.0.3", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "HTTP/2: large amount of data requests leads to denial of service" }, { "acknowledgments": [ { "names": [ "the Envoy security team" ] } ], "cve": "CVE-2019-9512", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-08-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1735645" } ], "notes": [ { "category": "description", "text": "A flaw was found in HTTP/2. Using PING frames and queuing of response PING ACK frames, a flood attack could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: flood using PING frames results in unbounded memory growth", "title": "Vulnerability summary" }, { "category": "other", "text": "The golang package in Red Hat OpenStack Platform 9 Operational Tools will not be updated for this flaw because it is in technical preview and is retiring as of 24.Aug.2019.\nThis issue did not affect the versions of grafana(embeds golang) as shipped with Red Hat Ceph Storage 2 and Red Hat Gluster Storage 3 as they did not include the support for HTTP/2.\nThe following storage product versions are affected because they include the support for HTTP/2 in:\n* golang as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3\n* heketi(embeds golang) as shipped with Red Hat Gluster Storage 3\n* grafana(embeds golang and grpc) as shipped with Red Hat Ceph Storage 3\nThis flaw has no available mitigation for packages golang and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.\n\nAll OpenShift Container Platform RPMs and container images that are built with Go and support HTTP/2 are vulnerable to this flaw.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-9512" }, { "category": "external", "summary": "RHBZ#1735645", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735645" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9512", "url": "https://www.cve.org/CVERecord?id=CVE-2019-9512" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9512", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9512" }, { "category": "external", "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg", "url": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA", "url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/" }, { "category": "external", "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html" } ], "release_date": "2019-08-13T17:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "HTTP/2: flood using PING frames results in unbounded memory growth" }, { "acknowledgments": [ { "names": [ "the Envoy security team" ] } ], "cve": "CVE-2019-9514", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-08-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1735744" } ], "notes": [ { "category": "description", "text": "A flaw was found in HTTP/2. Using HEADER frames with invalid HTTP headers and queuing of response RST_STREAM frames, an attacker could cause a flood resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: flood using HEADERS frames results in unbounded memory growth", "title": "Vulnerability summary" }, { "category": "other", "text": "The golang package in Red Hat OpenStack Platform 9 Operational Tools will not be updated for this flaw because it is in technical preview and is retiring as of 24.Aug.2019.\nThis issue did not affect the versions of grafana(embeds golang) as shipped with Red Hat Ceph Storage 2 and Red Hat Gluster Storage 3 as they did not include the support for HTTP/2.\nThe following storage product versions are affected because they include the support for HTTP/2 in:\n* golang as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3\n* heketi(embeds golang) as shipped with Red Hat Gluster Storage 3\n* grafana(embeds golang and grpc) as shipped with Red Hat Ceph Storage 3\nThis flaw has no available mitigation for packages golang and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.\n\nAll OpenShift Container Platform RPMs and container images that are built with Go and support HTTP/2 are vulnerable to this flaw.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-9514" }, { "category": "external", "summary": "RHBZ#1735744", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735744" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9514", "url": "https://www.cve.org/CVERecord?id=CVE-2019-9514" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9514", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9514" }, { "category": "external", "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg", "url": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg" }, { "category": "external", "summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA", "url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/" }, { "category": "external", "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html" } ], "release_date": "2019-08-13T17:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "HTTP/2: flood using HEADERS frames results in unbounded memory growth" }, { "acknowledgments": [ { "names": [ "the Envoy security team" ] } ], "cve": "CVE-2019-9515", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-08-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1735745" } ], "notes": [ { "category": "description", "text": "A flaw was found in HTTP/2. Using SETTINGS frames and queuing of SETTINGS ACK frames, a flood could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "HTTP/2: flood using SETTINGS frames results in unbounded memory growth", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue affects the version of grafana(embeds gRPC) as shipped with Red Hat Ceph Storage 3 as it include the support for HTTP/2.\nThis flaw has no available mitigation for nodejs package. It will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-9515" }, { "category": "external", "summary": "RHBZ#1735745", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735745" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9515", "url": "https://www.cve.org/CVERecord?id=CVE-2019-9515" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9515", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9515" }, { "category": "external", "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" }, { "category": "external", "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/" }, { "category": "external", "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html" } ], "release_date": "2019-08-13T17:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "HTTP/2: flood using SETTINGS frames results in unbounded memory growth" }, { "cve": "CVE-2019-10086", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-10-31T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1767483" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Commons BeanUtils, where the class property in PropertyUtilsBean is not suppressed by default. This flaw allows an attacker to access the classloader.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-10086" }, { "category": "external", "summary": "RHBZ#1767483", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1767483" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-10086", "url": "https://www.cve.org/CVERecord?id=CVE-2019-10086" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10086", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10086" }, { "category": "external", "summary": "https://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.4/RELEASE-NOTES.txt", "url": "https://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.4/RELEASE-NOTES.txt" } ], "release_date": "2019-08-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "There is no currently known mitigation for this flaw.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default" }, { "cve": "CVE-2019-10174", "cwe": { "id": "CWE-470", "name": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)" }, "discovery_date": "2018-10-25T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1703469" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan\u0027s privileges. The attacker can use reflection to introduce new, malicious behavior into the application.", "title": "Vulnerability description" }, { "category": "summary", "text": "infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight contains the vulnerable library. This library is a requirement of other dependencies (Karaf and Hibernate). Under supported deployments, the vulnerable functionality is not utilized. Based on this, no OpenDaylight versions will not be fixed.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-10174" }, { "category": "external", "summary": "RHBZ#1703469", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1703469" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-10174", "url": "https://www.cve.org/CVERecord?id=CVE-2019-10174" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10174", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10174" } ], "release_date": "2019-11-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "There is no known mitigation for this issue.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods" }, { "cve": "CVE-2019-12384", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-06-25T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1725807" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in FasterXML jackson-databind in versions prior to 2.9.9. The vulnerability would permit polymorphic deserialization of malicious objects using the logback-core gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. Depending on the classpath content, remote code execution may be possible.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack\u0027s OpenDaylight does not use logback in any supported configuration. Therefore, the prerequisites for this vulnerability are not present and OpenDaylight is not affected.\n\nThis vulnerability relies on logback-core (ch.qos.logback.core) being present in the application\u0027s ClassPath. Logback-core is not packaged as an RPM for Red Hat Enterprise Linux or Red Hat Software Collections. Applications using jackson-databind that do not also use logback-core are not impacted by this vulnerability.\n\nThis issue affects the versions of jackson-databind bundled with candlepin as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-12384" }, { "category": "external", "summary": "RHBZ#1725807", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1725807" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-12384", "url": "https://www.cve.org/CVERecord?id=CVE-2019-12384" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-12384", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12384" } ], "release_date": "2019-06-21T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution" }, { "cve": "CVE-2019-14379", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-07-29T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1737517" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache and logback JNDI gadgets when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: default typing mishandling leading to remote code execution", "title": "Vulnerability summary" }, { "category": "other", "text": "While OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nSimilarly, Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-14379" }, { "category": "external", "summary": "RHBZ#1737517", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737517" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-14379", "url": "https://www.cve.org/CVERecord?id=CVE-2019-14379" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14379", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14379" } ], "release_date": "2019-07-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jackson-databind: default typing mishandling leading to remote code execution" }, { "cve": "CVE-2019-14843", "cwe": { "id": "CWE-592", "name": "CWE-592" }, "discovery_date": "2019-09-17T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1752980" } ], "notes": [ { "category": "description", "text": "A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "wildfly-security-manager: security manager authorization bypass", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-14843" }, { "category": "external", "summary": "RHBZ#1752980", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752980" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-14843", "url": "https://www.cve.org/CVERecord?id=CVE-2019-14843" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14843", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14843" } ], "release_date": "2019-09-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "This flaw only affects the Security Manager running under JDK 11 or 8. To mitigate exposure to this flaw, do not run under those JDK versions.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "wildfly-security-manager: security manager authorization bypass" }, { "acknowledgments": [ { "names": [ "Henning Baldersheim", "H\u00e5vard Pettersen" ], "organization": "Verizon Media" } ], "cve": "CVE-2019-14888", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2019-10-25T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1772464" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in the Undertow HTTP server listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-14888" }, { "category": "external", "summary": "RHBZ#1772464", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1772464" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-14888", "url": "https://www.cve.org/CVERecord?id=CVE-2019-14888" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14888", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14888" } ], "release_date": "2020-01-20T12:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "Enable HTTP2 (enable-http2=\"true\") in the undertow\u0027s HTTPS settings.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS" }, { "cve": "CVE-2019-16869", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2019-09-26T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1758619" } ], "notes": [ { "category": "description", "text": "A flaw was found in Netty, where whitespace before the colon in HTTP headers is mishandled. This flaw allows an attacker to cause HTTP request smuggling.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that this vulnerability does not poses a substantial practical threat to ElasticSearch 6 [1]. We agree that this issue would be difficult to exploit these vulnerabilities on OpenShift Container Platform, so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships vulnerable netty version embedded in Candlepin, however, is not directly vulnerable since HTTP requests are handled by Tomcat and not netty.\n\n[1] https://github.com/elastic/elasticsearch/issues/49396", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-16869" }, { "category": "external", "summary": "RHBZ#1758619", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758619" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-16869", "url": "https://www.cve.org/CVERecord?id=CVE-2019-16869" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-16869", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16869" } ], "release_date": "2019-09-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers" }, { "cve": "CVE-2019-17531", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2019-11-21T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1775293" } ], "notes": [ { "category": "description", "text": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*", "title": "Vulnerability summary" }, { "category": "other", "text": "Satellite 6 does not enable polymorphic unmarshmalling, which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenShift Container Platform does ship the vulnerable component, but does not enable the unsafe conditions needed to exploit, lowering their vulnerability impact.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-17531" }, { "category": "external", "summary": "RHBZ#1775293", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1775293" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-17531", "url": "https://www.cve.org/CVERecord?id=CVE-2019-17531" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17531", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17531" } ], "release_date": "2019-10-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*" }, { "cve": "CVE-2019-20444", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2020-01-30T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1798524" } ], "notes": [ { "category": "description", "text": "A HTTP smuggling flaw was found in HttpObjectDecoder.java in Netty in versions prior to version 4.1.44. HTTP headers with an invalid fold, in this case CRLF (carriage return, line feed) without being followed by SP (space) or HTAB (horizontal tab), result in situations where headers can be misread. Data integrity is the highest threat with this vulnerability.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: HTTP request smuggling", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that the previous vulnerability, CVE-2019-16869, does not pose a substantial practical threat to ElasticSearch 6. We agree that these issues would be difficult to exploit on OpenShift Container Platform so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships a vulnerable version of netty embedded in Candlepin. However, the flaw can not be triggered in that context, because HTTP requests are handled by Tomcat, not by netty. A future release may fix this.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20444" }, { "category": "external", "summary": "RHBZ#1798524", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798524" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20444", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20444" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444" }, { "category": "external", "summary": "https://github.com/elastic/elasticsearch/issues/49396", "url": "https://github.com/elastic/elasticsearch/issues/49396" } ], "release_date": "2020-01-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "netty: HTTP request smuggling" }, { "cve": "CVE-2019-20445", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2020-01-20T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1798509" } ], "notes": [ { "category": "description", "text": "A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a server, it could result in a viable HTTP smuggling vulnerability.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that the previous vulnerability, CVE-2019-16869, does not poses a substantial practical threat to ElasticSearch 6 [1]. We agree that this issue would be difficult to exploit both these vulnerabilities on OpenShift Container Platform, so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships a vulnerable version of netty embedded in Candlepin. However, the flaw can not be triggered in that context, because HTTP requests are handled by Tomcat, not by netty. A future release may fix this.\n\n[1] https://github.com/elastic/elasticsearch/issues/49396", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-20445" }, { "category": "external", "summary": "RHBZ#1798509", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798509" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20445", "url": "https://www.cve.org/CVERecord?id=CVE-2019-20445" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445" } ], "release_date": "2020-01-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header" }, { "cve": "CVE-2020-1710", "cwe": { "id": "CWE-113", "name": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)" }, "discovery_date": "2019-12-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1793970" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in JBoss EAP, where it does not process the header field-name in accordance with RFC7230. Whitespace between the header field-name and colon is processed, resulting in an HTTP response code of 200 instead of a bad request of 400.", "title": "Vulnerability description" }, { "category": "summary", "text": "EAP: field-name is not parsed in accordance to RFC7230", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1710" }, { "category": "external", "summary": "RHBZ#1793970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793970" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1710", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1710" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1710", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1710" } ], "release_date": "2020-08-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "There is currently no known mitigation for this issue.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "EAP: field-name is not parsed in accordance to RFC7230" }, { "acknowledgments": [ { "names": [ "Steve Zapantis", "Robert Roberson", "taktakdb4g" ] } ], "cve": "CVE-2020-1745", "cwe": { "id": "CWE-285", "name": "Improper Authorization" }, "discovery_date": "2020-02-24T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1807305" } ], "notes": [ { "category": "description", "text": "A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: AJP File Read/Inclusion Vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251 and CVE page https://access.redhat.com/security/cve/cve-2020-1938", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1745" }, { "category": "external", "summary": "RHBZ#1807305", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1807305" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1745", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1745" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1745", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1745" }, { "category": "external", "summary": "https://meterpreter.org/cve-2020-1938-apache-tomcat-ajp-connector-remote-code-execution-vulnerability-alert/", "url": "https://meterpreter.org/cve-2020-1938-apache-tomcat-ajp-connector-remote-code-execution-vulnerability-alert/" }, { "category": "external", "summary": "https://www.cnvd.org.cn/webinfo/show/5415", "url": "https://www.cnvd.org.cn/webinfo/show/5415" }, { "category": "external", "summary": "https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487", "url": "https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487" } ], "release_date": "2020-02-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: AJP File Read/Inclusion Vulnerability" }, { "acknowledgments": [ { "names": [ "Fedorov Oleksii", "Keitaro Yamazaki", "Shiga Ryota" ], "organization": "LINE Corporation" } ], "cve": "CVE-2020-1757", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2019-09-09T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1752770" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow, where the servlet container causes the servletPath to normalize incorrectly by truncating the path after the semicolon. The flaw may lead to application mapping, resulting in a security bypass.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1757" }, { "category": "external", "summary": "RHBZ#1752770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752770" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1757", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1757" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1757", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1757" } ], "release_date": "2018-12-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "The issue can be mitigated by configuring UrlPathHelper to ignore the servletPath via setting \"alwaysUseFullPath\".", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.0" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "known_not_affected": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-08-26T11:05:47+00:00", "details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:5856" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-apache-commons-beanutils-0:1.9.4-1.redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-jdbc-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-cachestore-remote-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-client-hotrod-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-commons-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-infinispan-core-0:8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.5-1.redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-undertow-0:1.4.18-12.SP12_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-wildfly-elytron-0:1.1.13-1.Final_redhat_00001.1.ep7.el7.src", "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch", "7Server-JBEAP-7.1-EUS:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.ep7.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_5458
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 6.4. Red Hat Product Security has rated this update as having a security impact of Important.\n\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.24 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.23 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 6.4.24 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n\n* jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS (CVE-2020-14384)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:5458", "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index" }, { "category": "external", "summary": "1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "1871928", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1871928" }, { "category": "external", "summary": "1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5458.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update", "tracking": { "current_release_date": "2024-11-06T01:09:07+00:00", "generator": { "date": "2024-11-06T01:09:07+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:5458", "initial_release_date": "2022-06-30T18:34:28+00:00", "revision_history": [ { "date": "2022-06-30T18:34:28+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-30T18:34:28+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T01:09:07+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 6.4.24 release", "product": { "name": "EAP 6.4.24 release", "product_id": "EAP 6.4.24 release", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-13935", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-07-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857024" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8\u0027s Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, there is no entry point for WebSockets, thus it is not possible to trigger the flaw in a supported setup. A future update may fix the code. Similarly, Red Hat OpenStack Platform 13 does not ship with WebSocket functionality enabled by default.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-13935" }, { "category": "external", "summary": "RHBZ#1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-13935", "url": "https://www.cve.org/CVERecord?id=CVE-2020-13935" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935" }, { "category": "external", "summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E", "url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E" }, { "category": "external", "summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7", "url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7" }, { "category": "external", "summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105", "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105" }, { "category": "external", "summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57", "url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57" }, { "category": "external", "summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37", "url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37" } ], "release_date": "2020-07-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS" }, { "cve": "CVE-2020-14384", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1875176" } ], "notes": [ { "category": "description", "text": "A flaw was found in jbossweb. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-14384" }, { "category": "external", "summary": "RHBZ#1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14384", "url": "https://www.cve.org/CVERecord?id=CVE-2020-14384" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384" } ], "release_date": "2020-09-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4.24 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T18:34:28+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4.24 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 6.4.24 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4.24 release" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021_5183
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.8.24 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046 (CVE-2021-4125)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5183", "url": "https://access.redhat.com/errata/RHSA-2021:5183" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5183.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.8.24 security update", "tracking": { "current_release_date": "2024-11-06T00:16:24+00:00", "generator": { "date": "2024-11-06T00:16:24+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2021:5183", "initial_release_date": "2021-12-16T21:14:49+00:00", "revision_history": [ { "date": "2021-12-16T21:14:49+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T21:14:49+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:16:24+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.8", "product": { "name": "Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.8::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64", "product": { "name": "openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64", "product_id": "openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hive\u0026tag=v4.8.0-202112160147.p0.g5672016.assembly.stream" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.8.0-202112161229.p0.g0d7ecfb.assembly.art3599" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.8.0.202112161229.p0.g0d7ecfb.assembly.art3599-1" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" }, "product_reference": "openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64", "relates_to_product_reference": "8Base-RHOSE-4.8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T21:14:49+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5183" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-4125", "discovery_date": "2021-12-16T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2033121" } ], "notes": [ { "category": "description", "text": "It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed.", "title": "Vulnerability description" }, { "category": "summary", "text": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046", "title": "Vulnerability summary" }, { "category": "other", "text": "This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6. The below previously shipped advisories were incomplete:\n\nhttps://access.redhat.com/errata/RHSA-2021:5108\n\nhttps://access.redhat.com/errata/RHSA-2021:5107\n\nhttps://access.redhat.com/errata/RHSA-2021:5106\n\nFor the complete fix, customers should upgrade to the images shipped in these advisories:\n\n4.8.24: https://access.redhat.com/errata/RHSA-2021:5183\n\n4.7.40: https://access.redhat.com/errata/RHSA-2021:5184\n\n4.6.52 https://access.redhat.com/errata/RHSA-2021:5186\n\nThe OpenShift Metering hive container images were deprecated in OpenShift 4.8, and not shipped in 4.9 or later.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4125" }, { "category": "external", "summary": "RHBZ#2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4125", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4125" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-45046", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" } ], "release_date": "2021-12-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T21:14:49+00:00", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5183" }, { "category": "workaround", "details": "Please follow the Mitigation advice for the original CVEs.", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle@sha256:d9723537198ddd114f1d18391deded973ea1630f7526563ac2f1f77b09a81529_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator@sha256:36da829e53ab829380767ceea0f52523f769e847016c42c9245ce8b1646838c0_amd64", "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hive@sha256:978ed19333959861cc7a948ac5acb790fe7bfa6e33db1b06521ef0e0b38c7801_amd64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046" } ] }
rhsa-2022_1297
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:1297", "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-22105", "url": "https://issues.redhat.com/browse/JBEAP-22105" }, { "category": "external", "summary": "JBEAP-22385", "url": "https://issues.redhat.com/browse/JBEAP-22385" }, { "category": "external", "summary": "JBEAP-22731", "url": "https://issues.redhat.com/browse/JBEAP-22731" }, { "category": "external", "summary": "JBEAP-22738", "url": "https://issues.redhat.com/browse/JBEAP-22738" }, { "category": "external", "summary": "JBEAP-22819", "url": "https://issues.redhat.com/browse/JBEAP-22819" }, { "category": "external", "summary": "JBEAP-22839", "url": "https://issues.redhat.com/browse/JBEAP-22839" }, { "category": "external", "summary": "JBEAP-22864", "url": "https://issues.redhat.com/browse/JBEAP-22864" }, { "category": "external", "summary": "JBEAP-22900", "url": "https://issues.redhat.com/browse/JBEAP-22900" }, { "category": "external", "summary": "JBEAP-22904", "url": "https://issues.redhat.com/browse/JBEAP-22904" }, { "category": "external", "summary": "JBEAP-22911", "url": "https://issues.redhat.com/browse/JBEAP-22911" }, { "category": "external", "summary": "JBEAP-22912", "url": "https://issues.redhat.com/browse/JBEAP-22912" }, { "category": "external", "summary": "JBEAP-22913", "url": "https://issues.redhat.com/browse/JBEAP-22913" }, { "category": "external", "summary": "JBEAP-22935", "url": "https://issues.redhat.com/browse/JBEAP-22935" }, { "category": "external", "summary": "JBEAP-22945", "url": "https://issues.redhat.com/browse/JBEAP-22945" }, { "category": "external", "summary": "JBEAP-22973", "url": "https://issues.redhat.com/browse/JBEAP-22973" }, { "category": "external", "summary": "JBEAP-23038", "url": "https://issues.redhat.com/browse/JBEAP-23038" }, { "category": "external", "summary": "JBEAP-23040", "url": "https://issues.redhat.com/browse/JBEAP-23040" }, { "category": "external", "summary": "JBEAP-23045", "url": "https://issues.redhat.com/browse/JBEAP-23045" }, { "category": "external", "summary": "JBEAP-23101", "url": "https://issues.redhat.com/browse/JBEAP-23101" }, { "category": "external", "summary": "JBEAP-23105", "url": "https://issues.redhat.com/browse/JBEAP-23105" }, { "category": "external", "summary": "JBEAP-23143", "url": "https://issues.redhat.com/browse/JBEAP-23143" }, { "category": "external", "summary": "JBEAP-23177", "url": "https://issues.redhat.com/browse/JBEAP-23177" }, { "category": "external", "summary": "JBEAP-23323", "url": "https://issues.redhat.com/browse/JBEAP-23323" }, { "category": "external", "summary": "JBEAP-23373", "url": "https://issues.redhat.com/browse/JBEAP-23373" }, { "category": "external", "summary": "JBEAP-23374", "url": "https://issues.redhat.com/browse/JBEAP-23374" }, { "category": "external", "summary": "JBEAP-23375", "url": "https://issues.redhat.com/browse/JBEAP-23375" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1297.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update", "tracking": { "current_release_date": "2024-11-06T00:39:57+00:00", "generator": { "date": "2024-11-06T00:39:57+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:1297", "initial_release_date": "2022-04-11T13:00:18+00:00", "revision_history": [ { "date": "2022-04-11T13:00:18+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-04-11T13:00:18+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:39:57+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el8eap?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el8-x86_64@2.2.0-2.Final_redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el8eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-core@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-entitymanager@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-envers@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-java8@5.3.25-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-compensations@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbosstxbridge@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbossxts@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-idlj@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-integration@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-api@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-bridge@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-integration@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-util@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-txframework@5.11.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-cli@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-commons@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-core-client@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-dto@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hornetq-protocol@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hqclient-protocol@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jdbc-store@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-client@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-server@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-journal@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-ra@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-selector@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-server@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-service-extensions@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_id": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-tools@2.16.0-7.redhat_00034.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.11-1.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-jdbc@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-remote@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-client-hotrod@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-commons@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-component-annotations@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-core@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-commons@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-spi@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-v53@11.0.15-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el8eap?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-java@2.2.0-3.Final_redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-15.Final_redhat_00014.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-15.Final_redhat_00014.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_id": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.4-3.GA_redhat_00011.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_id": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.4-3.GA_redhat_00011.1.el8eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_id": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el8-x86_64@2.2.0-2.Final_redhat_00002.1.el8eap?arch=x86_64" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_id": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el8-x86_64-debuginfo@2.2.0-2.Final_redhat_00002.1.el8eap?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch" }, "product_reference": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:18+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el8eap.src", "8Base-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-el8-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el8eap.x86_64", "8Base-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0449
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat Single Sign-On 7.5 from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.5.1 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0449", "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.5", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.5" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2054", "url": "https://issues.redhat.com/browse/CIAM-2054" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0449.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update", "tracking": { "current_release_date": "2024-11-06T00:26:32+00:00", "generator": { "date": "2024-11-06T00:26:32+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0449", "initial_release_date": "2022-02-07T13:48:02+00:00", "revision_history": [ { "date": "2022-02-07T13:48:02+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:48:02+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:26:32+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHSSO 7.5.1", "product": { "name": "RHSSO 7.5.1", "product_id": "RHSSO 7.5.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "RHSSO 7.5.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "acknowledgments": [ { "names": [ "Christian D\u00f6lling" ] } ], "cve": "CVE-2022-1466", "cwe": { "id": "CWE-1220", "name": "Insufficient Granularity of Access Control" }, "discovery_date": "2022-02-03T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2050228" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak. The Red Hat Single Sign-On allowed authed users to perform actions outside their permissions. This flaw makes adding users to the master realm possible even though no respective permission was granted.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: Improper authorization for master realm", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1466" }, { "category": "external", "summary": "RHBZ#2050228", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2050228" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1466", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1466" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1466", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1466" } ], "release_date": "2022-01-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: Improper authorization for master realm" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "RHSSO 7.5.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "RHSSO 7.5.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHSSO 7.5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:48:02+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "RHSSO 7.5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "RHSSO 7.5.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHSSO 7.5.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0291
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0291", "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0291.json" } ], "title": "Red Hat Security Advisory: parfait:0.5 security update", "tracking": { "current_release_date": "2024-11-06T00:22:53+00:00", "generator": { "date": "2024-11-06T00:22:53+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0291", "initial_release_date": "2022-01-26T14:54:58+00:00", "revision_history": [ { "date": "2022-01-26T14:54:58+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-26T14:54:58+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:22:53+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product": { "name": "Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_eus:8.2::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "parfait:0.5:8020020220124231008:1c5d4e8a", "product": { "name": "parfait:0.5:8020020220124231008:1c5d4e8a", "product_id": "parfait:0.5:8020020220124231008:1c5d4e8a", "product_identification_helper": { "purl": "pkg:rpmmod/redhat/parfait@0.5:8020020220124231008:1c5d4e8a" } } }, { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product": { "name": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_id": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=noarch" } } }, { "category": "product_version", "name": "parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product": { "name": "parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_id": "parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-examples@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=noarch" } } }, { "category": "product_version", "name": "parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_id": "parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-javadoc@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=noarch" } } }, { "category": "product_version", "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_id": "pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcp-parfait-agent@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=noarch" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units-javadoc@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api-javadoc@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib-javadoc@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se-javadoc@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems-javadoc@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "product": { "name": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "product_id": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.2.0%2B13999%2Bfa2fb353?arch=src" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, "product_reference": "parfait:0.5:8020020220124231008:1c5d4e8a", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch" }, "product_reference": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src" }, "product_reference": "parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch" }, "product_reference": "parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch" }, "product_reference": "parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch" }, "product_reference": "pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8020020220124231008:1c5d4e8a as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)", "product_id": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:54:58+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:54:58+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:54:58+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:54:58+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-examples-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:parfait-javadoc-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:pcp-parfait-agent-0:0.5.4-4.module+el8.2.0+13999+fa2fb353.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.2.0.Z.EUS:parfait:0.5:8020020220124231008:1c5d4e8a:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0290
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0290", "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0290.json" } ], "title": "Red Hat Security Advisory: parfait:0.5 security update", "tracking": { "current_release_date": "2024-11-06T00:22:38+00:00", "generator": { "date": "2024-11-06T00:22:38+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0290", "initial_release_date": "2022-01-26T14:51:27+00:00", "revision_history": [ { "date": "2022-01-26T14:51:27+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-26T14:51:27+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:22:38+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream (v. 8)", "product": { "name": "Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN", "product_identification_helper": { "cpe": "cpe:/a:redhat:enterprise_linux:8::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "parfait:0.5:8050020220124063900:6b489b78", "product": { "name": "parfait:0.5:8050020220124063900:6b489b78", "product_id": "parfait:0.5:8050020220124063900:6b489b78", "product_identification_helper": { "purl": "pkg:rpmmod/redhat/parfait@0.5:8050020220124063900:6b489b78" } } }, { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product": { "name": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_id": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=noarch" } } }, { "category": "product_version", "name": "parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product": { "name": "parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_id": "parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-examples@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=noarch" } } }, { "category": "product_version", "name": "parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_id": "parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-javadoc@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=noarch" } } }, { "category": "product_version", "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_id": "pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcp-parfait-agent@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=noarch" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units-javadoc@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api-javadoc@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib-javadoc@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se-javadoc@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems-javadoc@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "product": { "name": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "product_id": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.5.0%2B13988%2Bde2b8c0b?arch=src" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, "product_reference": "parfait:0.5:8050020220124063900:6b489b78", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch" }, "product_reference": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src" }, "product_reference": "parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch" }, "product_reference": "parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch" }, "product_reference": "parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch" }, "product_reference": "pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8050020220124063900:6b489b78 as a component of Red Hat Enterprise Linux AppStream (v. 8)", "product_id": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:51:27+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:51:27+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:51:27+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:51:27+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-examples-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:parfait-javadoc-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:pcp-parfait-agent-0:0.5.4-4.module+el8.5.0+13988+de2b8c0b.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.5.0.Z.MAIN:parfait:0.5:8050020220124063900:6b489b78:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021_5141
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.6.52 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact\nof Critical. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5141", "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5141.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.6.52 security update", "tracking": { "current_release_date": "2024-11-09T01:57:34+00:00", "generator": { "date": "2024-11-09T01:57:34+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2021:5141", "initial_release_date": "2021-12-16T07:50:00+00:00", "revision_history": [ { "date": "2021-12-16T07:50:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T07:50:00+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-09T01:57:34+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.6", "product": { "name": "Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.6::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "product": { "name": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "product_id": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hadoop\u0026tag=v4.6.0-202112150545.p0.gf381145.assembly.art3595" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.6.0-202112150545.p0.gd74112d.assembly.art3595" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.6.0.202112150545.p0.gd74112d.assembly.art3595-1" } } }, { "category": "product_version", "name": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64", "product": { "name": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64", "product_id": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-presto\u0026tag=v4.6.0-202112150545.p0.g190688a.assembly.art3595" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" }, "product_reference": "openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" }, "product_reference": "openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T07:50:00+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2030932" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "RHBZ#2030932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-10T02:01:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T07:50:00+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "workaround", "details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2021-12-10T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Critical" } ], "title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T07:50:00+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:94a4644b5a65b551cf7d790676887e51e8aec01be60659b262f629f692f361c6_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:099361536ce805ecc59390e83b66c4e08ff3fb1c38c2dc0f56b4d001dce79fd7_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hadoop@sha256:56a77578d021635534efcca828d6f0cccf241c257f09dfe09a0954d59706f563_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-presto@sha256:614005401fe4df9fdcad9f3b38e612cf023b79c013db3bed5aa7822d9d5e55ab_amd64" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Moderate" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
rhsa-2021_5184
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.7.40 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046 (CVE-2021-4125)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5184", "url": "https://access.redhat.com/errata/RHSA-2021:5184" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5184.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.7.40 security update", "tracking": { "current_release_date": "2024-11-06T00:16:17+00:00", "generator": { "date": "2024-11-06T00:16:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2021:5184", "initial_release_date": "2021-12-16T21:40:28+00:00", "revision_history": [ { "date": "2021-12-16T21:40:28+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T21:40:28+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:16:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.7", "product": { "name": "Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.7::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64", "product": { "name": "openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64", "product_id": "openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hive\u0026tag=v4.7.0-202112160422.p0.g6a2b6aa.assembly.4.7.40" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.7.0-202112160422.p0.g3959be4.assembly.4.7.40" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.7.0.202112160422.p0.g3959be4.assembly.4.7.40-1" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" }, "product_reference": "openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64", "relates_to_product_reference": "8Base-RHOSE-4.7" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T21:40:28+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5184" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-4125", "discovery_date": "2021-12-16T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2033121" } ], "notes": [ { "category": "description", "text": "It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed.", "title": "Vulnerability description" }, { "category": "summary", "text": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046", "title": "Vulnerability summary" }, { "category": "other", "text": "This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6. The below previously shipped advisories were incomplete:\n\nhttps://access.redhat.com/errata/RHSA-2021:5108\n\nhttps://access.redhat.com/errata/RHSA-2021:5107\n\nhttps://access.redhat.com/errata/RHSA-2021:5106\n\nFor the complete fix, customers should upgrade to the images shipped in these advisories:\n\n4.8.24: https://access.redhat.com/errata/RHSA-2021:5183\n\n4.7.40: https://access.redhat.com/errata/RHSA-2021:5184\n\n4.6.52 https://access.redhat.com/errata/RHSA-2021:5186\n\nThe OpenShift Metering hive container images were deprecated in OpenShift 4.8, and not shipped in 4.9 or later.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4125" }, { "category": "external", "summary": "RHBZ#2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4125", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4125" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-45046", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" } ], "release_date": "2021-12-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T21:40:28+00:00", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5184" }, { "category": "workaround", "details": "Please follow the Mitigation advice for the original CVEs.", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle@sha256:e271e3d409615875e4545938fdeecb4711dace24635ec2eb2c09549986fcf5ea_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator@sha256:2243ea096f285ca59041de4d3362687f660fdb3a7e0c2c991a23f121958cf162_amd64", "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive@sha256:9b71fce5df4593cf6897a2080e0b734a925ce4e426029d2204f106b546e560a1_amd64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046" } ] }
rhsa-2021_5186
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.6.52 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046 (CVE-2021-4125)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5186", "url": "https://access.redhat.com/errata/RHSA-2021:5186" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5186.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.6.52 security update", "tracking": { "current_release_date": "2024-11-06T00:16:31+00:00", "generator": { "date": "2024-11-06T00:16:31+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2021:5186", "initial_release_date": "2021-12-16T22:34:47+00:00", "revision_history": [ { "date": "2021-12-16T22:34:47+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-16T22:34:47+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:16:31+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.6", "product": { "name": "Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.6::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64", "product": { "name": "openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64", "product_id": "openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-hive\u0026tag=v4.6.0-202112160147.p0.gf139e12.assembly.stream" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "product_id": "openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator\u0026tag=v4.6.0-202112161349.p0.gd74112d.assembly.art3595" } } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "product_id": "openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "product_identification_helper": { "purl": "pkg:oci/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-metering-ansible-operator-bundle\u0026tag=v4.6.0.202112161349.p0.gd74112d.assembly.art3595-1" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64" }, "product_reference": "openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64 as a component of Red Hat OpenShift Container Platform 4.6", "product_id": "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" }, "product_reference": "openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64", "relates_to_product_reference": "8Base-RHOSE-4.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T22:34:47+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5186" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-4125", "discovery_date": "2021-12-16T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2033121" } ], "notes": [ { "category": "description", "text": "It was found that the original fix for log4j CVE-2021-44228 and CVE-2021-45046 in the OpenShift metering hive containers was incomplete, as not all JndiLookup.class files were removed.", "title": "Vulnerability description" }, { "category": "summary", "text": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046", "title": "Vulnerability summary" }, { "category": "other", "text": "This CVE only applies to the OpenShift Metering hive container images, shipped in OpenShift 4.8, 4.7 and 4.6. The below previously shipped advisories were incomplete:\n\nhttps://access.redhat.com/errata/RHSA-2021:5108\n\nhttps://access.redhat.com/errata/RHSA-2021:5107\n\nhttps://access.redhat.com/errata/RHSA-2021:5106\n\nFor the complete fix, customers should upgrade to the images shipped in these advisories:\n\n4.8.24: https://access.redhat.com/errata/RHSA-2021:5183\n\n4.7.40: https://access.redhat.com/errata/RHSA-2021:5184\n\n4.6.52 https://access.redhat.com/errata/RHSA-2021:5186\n\nThe OpenShift Metering hive container images were deprecated in OpenShift 4.8, and not shipped in 4.9 or later.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ], "known_not_affected": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4125" }, { "category": "external", "summary": "RHBZ#2033121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033121" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4125", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4125" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4125" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-45046", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" } ], "release_date": "2021-12-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-16T22:34:47+00:00", "details": "For OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5186" }, { "category": "workaround", "details": "Please follow the Mitigation advice for the original CVEs.", "product_ids": [ "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator-bundle@sha256:5abf438d66d7cced31b939ddb1738d6957fc53656f4b8b4ad8def131160359f8_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-ansible-operator@sha256:1aa6520236d36695be64bda531d51996520cd7de4a6becdec757bb03169aa3d1_amd64", "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.6:openshift4/ose-metering-hive@sha256:2188be3bca06635315c092bed7d4c9fde861474919b327abd0f3d983e5a91bfe_amd64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "kube-reporting/hive: Incomplete fix for log4j CVE-2021-44228 and CVE-2021-45046" } ] }
rhsa-2022_0446
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat Single Sign-On 7.4 from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.4.10 serves as a replacement for Red Hat Single Sign-On 7.4.9, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0446", "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.4" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2064", "url": "https://issues.redhat.com/browse/CIAM-2064" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0446.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.4.10 security update", "tracking": { "current_release_date": "2024-11-06T00:25:51+00:00", "generator": { "date": "2024-11-06T00:25:51+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0446", "initial_release_date": "2022-02-07T13:43:49+00:00", "revision_history": [ { "date": "2022-02-07T13:43:49+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:43:49+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:25:51+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Single Sign-On 7.4.10", "product": { "name": "Red Hat Single Sign-On 7.4.10", "product_id": "Red Hat Single Sign-On 7.4.10", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7.4.10" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:43:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7.4.10" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7.4.10" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:43:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7.4.10" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7.4.10" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:43:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7.4.10" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7.4.10" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:43:49+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat Single Sign-On 7.4.10" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7.4.10" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0524
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Web Server 3.1 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 14 serves as a replacement for Red Hat JBoss Web Server 3.1 Service Pack 13. This release includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [jws-3] (CVE-2022-23302)\n* log4j-eap6: log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [jws-3] (CVE-2022-23305)\n* log4j-eap6: log4j: Unsafe deserialization flaw in Chainsaw log viewer [jws-3] (CVE-2022-23307)\n* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [jws-3.1] (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0524", "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0524.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Web Server 3.1 Service Pack 14 Security Update", "tracking": { "current_release_date": "2024-11-06T00:28:25+00:00", "generator": { "date": "2024-11-06T00:28:25+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0524", "initial_release_date": "2022-02-14T17:10:12+00:00", "revision_history": [ { "date": "2022-02-14T17:10:12+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-14T17:10:12+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:28:25+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Web Server 3.1 for RHEL 7", "product": { "name": "Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Web Server" }, { "branches": [ { "category": "product_version", "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "product": { "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "product_id": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-native@1.2.23-26.redhat_26.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "tomcat7-0:7.0.70-46.ep7.el7.src", "product": { "name": "tomcat7-0:7.0.70-46.ep7.el7.src", "product_id": "tomcat7-0:7.0.70-46.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7@7.0.70-46.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "tomcat8-0:8.0.36-49.ep7.el7.src", "product": { "name": "tomcat8-0:8.0.36-49.ep7.el7.src", "product_id": "tomcat8-0:8.0.36-49.ep7.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8@8.0.36-49.ep7.el7?arch=src" } } }, { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product": { "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product_id": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-native@1.2.23-26.redhat_26.ep7.el7?arch=x86_64" } } }, { "category": "product_version", "name": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product": { "name": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product_id": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat-native-debuginfo@1.2.23-26.redhat_26.ep7.el7?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "tomcat7-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-admin-webapps@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-docs-webapp@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-el-2.2-api@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-javadoc@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-jsp-2.2-api@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-jsvc@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-lib@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-log4j@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-selinux@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-servlet-3.0-api@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "product": { "name": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "product_id": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat7-webapps@7.0.70-46.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-admin-webapps@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-docs-webapp@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-el-2.2-api@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-javadoc@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-jsp-2.3-api@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-jsvc@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-lib@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-log4j@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-selinux@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-servlet-3.1-api@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch", "product": { "name": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch", "product_id": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat8-webapps@8.0.36-49.ep7.el7?arch=noarch" } } }, { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src" }, "product_reference": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64" }, "product_reference": "tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64" }, "product_reference": "tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-0:7.0.70-46.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src" }, "product_reference": "tomcat7-0:7.0.70-46.ep7.el7.src", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch" }, "product_reference": "tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-0:8.0.36-49.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src" }, "product_reference": "tomcat8-0:8.0.36-49.ep7.el7.src", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", "product_id": "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" }, "product_reference": "tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch", "relates_to_product_reference": "7Server-JWS-3.1" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:10:12+00:00", "details": "Before applying this update, ensure that all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:10:12+00:00", "details": "Before applying this update, ensure that all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:10:12+00:00", "details": "Before applying this update, ensure that all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:10:12+00:00", "details": "Before applying this update, ensure that all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JWS-3.1:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-26.redhat_26.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-46.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-46.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-49.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-49.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-49.ep7.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0438
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis asynchronous patch is an update for JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5, 6, and 7. All users of Red Hat JBoss Enterprise Application Platform 6.4 are advised to upgrade to this updated package.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0438", "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0438.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4 security update", "tracking": { "current_release_date": "2024-11-06T00:25:52+00:00", "generator": { "date": "2024-11-06T00:25:52+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0438", "initial_release_date": "2022-02-03T18:51:47+00:00", "revision_history": [ { "date": "2022-02-03T18:51:47+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T18:51:47+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:25:52+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6" } } }, { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "product": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "product_id": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-jboss-logmanager@1.1.4-3.Final_redhat_00002.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src", "product": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src", "product_id": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-jboss-logmanager@1.1.4-3.Final_redhat_00002.1.ep6.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "product": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "product_id": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-jboss-logmanager@1.1.4-3.Final_redhat_00002.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product_id": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-eap6@1.2.17-3.redhat_00008.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "product": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "product_id": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-jboss-logmanager@1.1.4-3.Final_redhat_00002.1.ep6.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch" }, "product_reference": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src" }, "product_reference": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src" }, "product_reference": "log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch" }, "product_reference": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" }, "product_reference": "log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:51:47+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:51:47+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:51:47+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:51:47+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el6.src", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch", "6Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el6.src", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-eap6-0:1.2.17-3.redhat_00008.1.ep6.el7.src", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch", "7Server-JBEAP-6.4:log4j-jboss-logmanager-0:1.1.4-3.Final_redhat_00002.1.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0430
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for Red Hat Data Grid is now available.\n \nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.\n \nData Grid 7.3.9 replaces Data Grid 7.3.8 and includes bug fixes and enhancements. Find out more about Data Grid 7.3.8 in the Release Notes [3].\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0430", "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=7.3\u0026downloadType=patches", "url": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=7.3\u0026downloadType=patches" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0430.json" } ], "title": "Red Hat Security Advisory: Red Hat Data Grid 7.3.9 security update", "tracking": { "current_release_date": "2024-11-06T00:25:40+00:00", "generator": { "date": "2024-11-06T00:25:40+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0430", "initial_release_date": "2022-02-03T14:04:37+00:00", "revision_history": [ { "date": "2022-02-03T14:04:37+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T14:04:37+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:25:40+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Data Grid 7.3.9", "product": { "name": "Red Hat Data Grid 7.3.9", "product_id": "Red Hat Data Grid 7.3.9", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_grid:7.3" } } } ], "category": "product_family", "name": "Red Hat JBoss Data Grid" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 7.3.9" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T14:04:37+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 7.3.9 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 7.3.9" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Data Grid 7.3.9" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 7.3.9" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 7.3.9" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T14:04:37+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 7.3.9 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 7.3.9" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Data Grid 7.3.9" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 7.3.9" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 7.3.9" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T14:04:37+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 7.3.9 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 7.3.9" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat Data Grid 7.3.9" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 7.3.9" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Data Grid 7.3.9" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T14:04:37+00:00", "details": "To install this update, do the following:\n \n1. Download the Data Grid 7.3.9 server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[\u00b3] for patching instructions.\n4. Restart Data Grid to ensure the changes take effect.", "product_ids": [ "Red Hat Data Grid 7.3.9" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat Data Grid 7.3.9" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Data Grid 7.3.9" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0507
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Data Virtualization.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.\n\nThis Service Pack release of Red Hat JBoss Data Virtualization 6.4.8.SP2 (Service Pack 2) serves as a replacement for Red Hat JBoss Data Virtualization 6.4.8 and Red Hat JBoss Data Virtualization 6.4.8.SP1, and mitigates the impact of the log4j CVE\u0027s referenced in this document by removing the affected classes from the patch.\n\nNote: customers should update their EAP 6.4 installation with the corresponding security fixes that have been released for that (see RHSA-2022:0437 and https://access.redhat.com/site/solutions/625683)\n\nSecurity Fix(es):\n\n* log4j: deserialization of untrusted data in SocketServer (CVE-2019-17571)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\n* log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0507", "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/" }, { "category": "external", "summary": "1785616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" }, { "category": "external", "summary": "1831139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0507.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.4.8.SP2 security update", "tracking": { "current_release_date": "2024-11-06T00:27:27+00:00", "generator": { "date": "2024-11-06T00:27:27+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0507", "initial_release_date": "2022-02-10T17:26:37+00:00", "revision_history": [ { "date": "2022-02-10T17:26:37+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-10T17:26:37+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:27:27+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Data Virtualization 6.4.8.SP2", "product": { "name": "Red Hat JBoss Data Virtualization 6.4.8.SP2", "product_id": "Red Hat JBoss Data Virtualization 6.4.8.SP2", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Data Virtualization" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-17571", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-12-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1785616" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: deserialization of untrusted data in SocketServer", "title": "Vulnerability summary" }, { "category": "other", "text": "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-17571" }, { "category": "external", "summary": "RHBZ#1785616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-17571", "url": "https://www.cve.org/CVERecord?id=CVE-2019-17571" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571" } ], "release_date": "2019-12-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: deserialization of untrusted data in SocketServer" }, { "cve": "CVE-2020-9488", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2020-04-25T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1831139" } ], "notes": [ { "category": "description", "text": "Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: improper validation of certificate with host mismatch in SMTP appender", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-9488" }, { "category": "external", "summary": "RHBZ#1831139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-9488", "url": "https://www.cve.org/CVERecord?id=CVE-2020-9488" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9488", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9488" } ], "release_date": "2020-04-25T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "Previous versions can set the system property mail.smtp.ssl.checkserveridentity to true to globally enable hostname verification for SMTPS connections.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: improper validation of certificate with host mismatch in SMTP appender" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-10T17:26:37+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP2" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021_5206
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for log4j is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 7.3 Advanced Update Support, Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.6 Advanced Update Support, Red Hat Enterprise Linux 7.6 Telco Extended Update Support, Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions, Red Hat Enterprise Linux 7.7 Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Log4j is a tool to help the programmer output log statements to a variety of output targets.\n\nSecurity Fix(es):\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5206", "url": "https://access.redhat.com/errata/RHSA-2021:5206" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5206.json" } ], "title": "Red Hat Security Advisory: log4j security update", "tracking": { "current_release_date": "2024-11-06T00:16:37+00:00", "generator": { "date": "2024-11-06T00:16:37+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2021:5206", "initial_release_date": "2021-12-20T09:54:00+00:00", "revision_history": [ { "date": "2021-12-20T09:54:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-20T09:54:00+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:16:37+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux Server (v. 6 ELS)", "product": { "name": "Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_els:6" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product": { "name": "Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_els:6" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.3)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.3::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product": { "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.3::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.4)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.4::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product": { "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.4::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server E4S (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server TUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product": { "name": "Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server AUS (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_aus:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server E4S (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_e4s:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server TUS (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product": { "name": "Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS", "product_identification_helper": { "cpe": "cpe:/o:redhat:rhel_tus:7.7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Client (v. 7)", "product": { "name": "Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::client" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Client Optional (v. 7)", "product": { "name": "Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::client" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product": { "name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::computenode" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server (v. 7)", "product": { "name": "Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional (v. 7)", "product": { "name": "Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Workstation (v. 7)", "product": { "name": "Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::workstation" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Workstation Optional (v. 7)", "product": { "name": "Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7::workstation" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.14-6.5.el6_10.src", "product": { "name": "log4j-0:1.2.14-6.5.el6_10.src", "product_id": "log4j-0:1.2.14-6.5.el6_10.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.14-6.5.el6_10?arch=src" } } }, { "category": "product_version", "name": "log4j-0:1.2.17-16.el7_3.src", "product": { "name": "log4j-0:1.2.17-16.el7_3.src", "product_id": "log4j-0:1.2.17-16.el7_3.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.17-16.el7_3?arch=src" } } }, { "category": "product_version", "name": "log4j-0:1.2.17-17.el7_4.src", "product": { "name": "log4j-0:1.2.17-17.el7_4.src", "product_id": "log4j-0:1.2.17-17.el7_4.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.17-17.el7_4?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.14-6.5.el6_10.x86_64", "product": { "name": "log4j-0:1.2.14-6.5.el6_10.x86_64", "product_id": "log4j-0:1.2.14-6.5.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.14-6.5.el6_10?arch=x86_64" } } }, { "category": "product_version", "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "product": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "product_id": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-debuginfo@1.2.14-6.5.el6_10?arch=x86_64" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "product": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "product_id": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.14-6.5.el6_10?arch=x86_64" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "product": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "product_id": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.14-6.5.el6_10?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.14-6.5.el6_10.i686", "product": { "name": "log4j-0:1.2.14-6.5.el6_10.i686", "product_id": "log4j-0:1.2.14-6.5.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.14-6.5.el6_10?arch=i686" } } }, { "category": "product_version", "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "product": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "product_id": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-debuginfo@1.2.14-6.5.el6_10?arch=i686" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "product": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "product_id": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.14-6.5.el6_10?arch=i686" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.14-6.5.el6_10.i686", "product": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.i686", "product_id": "log4j-manual-0:1.2.14-6.5.el6_10.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.14-6.5.el6_10?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.14-6.5.el6_10.s390x", "product": { "name": "log4j-0:1.2.14-6.5.el6_10.s390x", "product_id": "log4j-0:1.2.14-6.5.el6_10.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.14-6.5.el6_10?arch=s390x" } } }, { "category": "product_version", "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "product": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "product_id": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-debuginfo@1.2.14-6.5.el6_10?arch=s390x" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "product": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "product_id": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.14-6.5.el6_10?arch=s390x" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.14-6.5.el6_10.s390x", "product": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.s390x", "product_id": "log4j-manual-0:1.2.14-6.5.el6_10.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.14-6.5.el6_10?arch=s390x" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "log4j-0:1.2.17-16.el7_3.noarch", "product": { "name": "log4j-0:1.2.17-16.el7_3.noarch", "product_id": "log4j-0:1.2.17-16.el7_3.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.17-16.el7_3?arch=noarch" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.17-16.el7_3.noarch", "product": { "name": "log4j-javadoc-0:1.2.17-16.el7_3.noarch", "product_id": "log4j-javadoc-0:1.2.17-16.el7_3.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.17-16.el7_3?arch=noarch" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.17-16.el7_3.noarch", "product": { "name": "log4j-manual-0:1.2.17-16.el7_3.noarch", "product_id": "log4j-manual-0:1.2.17-16.el7_3.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.17-16.el7_3?arch=noarch" } } }, { "category": "product_version", "name": "log4j-0:1.2.17-17.el7_4.noarch", "product": { "name": "log4j-0:1.2.17-17.el7_4.noarch", "product_id": "log4j-0:1.2.17-17.el7_4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j@1.2.17-17.el7_4?arch=noarch" } } }, { "category": "product_version", "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "product": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "product_id": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-javadoc@1.2.17-17.el7_4?arch=noarch" } } }, { "category": "product_version", "name": "log4j-manual-0:1.2.17-17.el7_4.noarch", "product": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch", "product_id": "log4j-manual-0:1.2.17-17.el7_4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/log4j-manual@1.2.17-17.el7_4?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.src as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.src" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.src", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6 ELS)", "product_id": "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.src as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.src" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.src", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.i686", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.s390x as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.s390x", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6 ELS)", "product_id": "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64" }, "product_reference": "log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "relates_to_product_reference": "6Server-optional-ELS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Client-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", "product_id": "7Client-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Client-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", "product_id": "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Client-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7ComputeNode-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7ComputeNode-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7ComputeNode-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", "product_id": "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7ComputeNode-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-16.el7_3.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.src" }, "product_reference": "log4j-0:1.2.17-16.el7_3.src", "relates_to_product_reference": "7Server-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.3)", "product_id": "7Server-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-manual-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.4)", "product_id": "7Server-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.6)", "product_id": "7Server-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.6)", "product_id": "7Server-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.6)", "product_id": "7Server-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server AUS (v. 7.7)", "product_id": "7Server-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server E4S (v. 7.7)", "product_id": "7Server-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server TUS (v. 7.7)", "product_id": "7Server-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", "product_id": "7Server-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-optional-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-16.el7_3.src as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.src" }, "product_reference": "log4j-0:1.2.17-16.el7_3.src", "relates_to_product_reference": "7Server-optional-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-optional-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-16.el7_3.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.3)", "product_id": "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch" }, "product_reference": "log4j-manual-0:1.2.17-16.el7_3.noarch", "relates_to_product_reference": "7Server-optional-7.3.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.4)", "product_id": "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.4.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.6)", "product_id": "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.6)", "product_id": "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.6)", "product_id": "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.6.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional AUS (v. 7.7)", "product_id": "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.AUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional E4S (v. 7.7)", "product_id": "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional TUS (v. 7.7)", "product_id": "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.7.TUS" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Server-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", "product_id": "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Server-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Workstation-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", "product_id": "7Workstation-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-0:1.2.17-17.el7_4.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src" }, "product_reference": "log4j-0:1.2.17-17.el7_4.src", "relates_to_product_reference": "7Workstation-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-javadoc-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-javadoc-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-optional-7.9.Z" }, { "category": "default_component_of", "full_product_name": { "name": "log4j-manual-0:1.2.17-17.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", "product_id": "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" }, "product_reference": "log4j-manual-0:1.2.17-17.el7_4.noarch", "relates_to_product_reference": "7Workstation-optional-7.9.Z" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-20T09:54:00+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5206" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.src", "6Server-optional-ELS:log4j-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-debuginfo-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-javadoc-0:1.2.14-6.5.el6_10.x86_64", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.i686", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.s390x", "6Server-optional-ELS:log4j-manual-0:1.2.14-6.5.el6_10.x86_64", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Client-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Client-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7ComputeNode-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7ComputeNode-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-0:1.2.17-16.el7_3.src", "7Server-optional-7.3.AUS:log4j-javadoc-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.3.AUS:log4j-manual-0:1.2.17-16.el7_3.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.4.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.4.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.6.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.6.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.AUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.AUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.E4S:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.E4S:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.7.TUS:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.7.TUS:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Server-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Server-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-0:1.2.17-17.el7_4.src", "7Workstation-optional-7.9.Z:log4j-javadoc-0:1.2.17-17.el7_4.noarch", "7Workstation-optional-7.9.Z:log4j-manual-0:1.2.17-17.el7_4.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" } ] }
rhsa-2022_1296
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:1296", "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-22105", "url": "https://issues.redhat.com/browse/JBEAP-22105" }, { "category": "external", "summary": "JBEAP-22385", "url": "https://issues.redhat.com/browse/JBEAP-22385" }, { "category": "external", "summary": "JBEAP-22731", "url": "https://issues.redhat.com/browse/JBEAP-22731" }, { "category": "external", "summary": "JBEAP-22738", "url": "https://issues.redhat.com/browse/JBEAP-22738" }, { "category": "external", "summary": "JBEAP-22819", "url": "https://issues.redhat.com/browse/JBEAP-22819" }, { "category": "external", "summary": "JBEAP-22839", "url": "https://issues.redhat.com/browse/JBEAP-22839" }, { "category": "external", "summary": "JBEAP-22864", "url": "https://issues.redhat.com/browse/JBEAP-22864" }, { "category": "external", "summary": "JBEAP-22899", "url": "https://issues.redhat.com/browse/JBEAP-22899" }, { "category": "external", "summary": "JBEAP-22904", "url": "https://issues.redhat.com/browse/JBEAP-22904" }, { "category": "external", "summary": "JBEAP-22911", "url": "https://issues.redhat.com/browse/JBEAP-22911" }, { "category": "external", "summary": "JBEAP-22912", "url": "https://issues.redhat.com/browse/JBEAP-22912" }, { "category": "external", "summary": "JBEAP-22913", "url": "https://issues.redhat.com/browse/JBEAP-22913" }, { "category": "external", "summary": "JBEAP-22935", "url": "https://issues.redhat.com/browse/JBEAP-22935" }, { "category": "external", "summary": "JBEAP-22945", "url": "https://issues.redhat.com/browse/JBEAP-22945" }, { "category": "external", "summary": "JBEAP-22973", "url": "https://issues.redhat.com/browse/JBEAP-22973" }, { "category": "external", "summary": "JBEAP-23038", "url": "https://issues.redhat.com/browse/JBEAP-23038" }, { "category": "external", "summary": "JBEAP-23040", "url": "https://issues.redhat.com/browse/JBEAP-23040" }, { "category": "external", "summary": "JBEAP-23045", "url": "https://issues.redhat.com/browse/JBEAP-23045" }, { "category": "external", "summary": "JBEAP-23101", "url": "https://issues.redhat.com/browse/JBEAP-23101" }, { "category": "external", "summary": "JBEAP-23105", "url": "https://issues.redhat.com/browse/JBEAP-23105" }, { "category": "external", "summary": "JBEAP-23143", "url": "https://issues.redhat.com/browse/JBEAP-23143" }, { "category": "external", "summary": "JBEAP-23177", "url": "https://issues.redhat.com/browse/JBEAP-23177" }, { "category": "external", "summary": "JBEAP-23323", "url": "https://issues.redhat.com/browse/JBEAP-23323" }, { "category": "external", "summary": "JBEAP-23373", "url": "https://issues.redhat.com/browse/JBEAP-23373" }, { "category": "external", "summary": "JBEAP-23374", "url": "https://issues.redhat.com/browse/JBEAP-23374" }, { "category": "external", "summary": "JBEAP-23375", "url": "https://issues.redhat.com/browse/JBEAP-23375" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1296.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update", "tracking": { "current_release_date": "2024-11-06T00:40:06+00:00", "generator": { "date": "2024-11-06T00:40:06+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:1296", "initial_release_date": "2022-04-11T12:59:41+00:00", "revision_history": [ { "date": "2022-04-11T12:59:41+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-04-11T12:59:41+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:40:06+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el7eap?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el7-x86_64@2.2.0-2.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el7eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-xnio-base@3.8.6-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "product_id": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-xom@1.3.7-1.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.9-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.16-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-core@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-entitymanager@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-envers@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-java8@5.3.25-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-compensations@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbosstxbridge@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jbossxts@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-idlj@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-jts-integration@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-api@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-bridge@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-integration@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-restat-util@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-narayana-txframework@5.11.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-cli@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-commons@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-core-client@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-dto@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hornetq-protocol@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-hqclient-protocol@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jdbc-store@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-client@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-jms-server@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-journal@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-ra@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-selector@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-server@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-service-extensions@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_id": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-activemq-artemis-tools@2.16.0-7.redhat_00034.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.11-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.11-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-jdbc@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-remote@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-client-hotrod@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-commons@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-component-annotations@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-core@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-commons@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-spi@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-v53@11.0.15-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "product_id": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-objectweb-asm@9.1.0-1.redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-vfs@3.2.16-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "product_id": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j@2.17.1-1.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "product_id": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-yasson@1.0.10-1.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "product_id": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ecj@3.26.0-1.redhat_00002.1.el7eap?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jbossws-cxf@5.4.4-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl@2.2.0-3.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-java@2.2.0-3.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-15.Final_redhat_00014.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-15.Final_redhat_00014.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-15.Final_redhat_00014.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_id": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.4-3.GA_redhat_00011.1.el7eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_id": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el7-x86_64@2.2.0-2.Final_redhat_00002.1.el7eap?arch=x86_64" } } }, { "category": "product_version", "name": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product": { "name": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_id": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-openssl-el7-x86_64-debuginfo@2.2.0-2.Final_redhat_00002.1.el7eap?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src" }, "product_reference": "eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch" }, "product_reference": "eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src" }, "product_reference": "eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src" }, "product_reference": "eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src" }, "product_reference": "eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64 as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64" }, "product_reference": "eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T12:59:41+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-0:2.16.0-7.redhat_00034.1.el7eap.src", "7Server-JBEAP-7.4:eap7-activemq-artemis-cli-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-commons-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-core-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-dto-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hornetq-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-hqclient-protocol-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jdbc-store-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-client-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-jms-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-journal-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-ra-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-selector-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-server-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-service-extensions-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-activemq-artemis-tools-0:2.16.0-7.redhat_00034.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ecj-1:3.26.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.9-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.25-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.25-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.15-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.15-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-15.Final_redhat_00014.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-15.Final_redhat_00014.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-vfs-0:3.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-xnio-base-0:3.8.6-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jbossws-cxf-0:5.4.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-0:5.11.4-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-narayana-compensations-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbosstxbridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jbossxts-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-idlj-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-jts-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-api-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-bridge-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-integration-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-restat-util-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-narayana-txframework-0:5.11.4-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-objectweb-asm-0:9.1.0-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.4-3.GA_redhat_00011.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.11-1.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.11-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.4-3.GA_redhat_00011.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-openssl-0:2.2.0-3.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-el7-x86_64-debuginfo-0:2.2.0-2.Final_redhat_00002.1.el7eap.x86_64", "7Server-JBEAP-7.4:eap7-wildfly-openssl-java-0:2.2.0-3.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-xom-0:1.3.7-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-yasson-0:1.0.10-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-0:2.17.1-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0553
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Fuse provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat A-MQ is a standards compliant messaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat Fuse 6.3 and Red Hat A-MQ 6.3. It includes bug fixes, which are documented in the patch notes accompanying the package on the download page. See the download link given in the references section below.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0553", "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq.broker\u0026version=6.3.0", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq.broker\u0026version=6.3.0" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=6.3", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=6.3" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_amq/6.3", "url": "https://access.redhat.com/documentation/en-us/red_hat_amq/6.3" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_fuse/6.3", "url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/6.3" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0553.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R20 security and bug fix update", "tracking": { "current_release_date": "2024-11-06T00:28:52+00:00", "generator": { "date": "2024-11-06T00:28:52+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0553", "initial_release_date": "2022-02-15T18:54:23+00:00", "revision_history": [ { "date": "2022-02-15T18:54:23+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-15T18:54:23+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:28:52+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Fuse/AMQ 6.3.20", "product": { "name": "Red Hat Fuse/AMQ 6.3.20", "product_id": "Red Hat Fuse/AMQ 6.3.20", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_fuse:6.3" } } } ], "category": "product_family", "name": "Red Hat JBoss Fuse" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse/AMQ 6.3.20" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-15T18:54:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse/AMQ 6.3.20" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-15T18:54:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse/AMQ 6.3.20" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-15T18:54:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse/AMQ 6.3.20" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-15T18:54:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse/AMQ 6.3.20" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_5460
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.24 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.23 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 6.4.24 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n\n* jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS (CVE-2020-14384)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:5460", "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index" }, { "category": "external", "summary": "1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "1871928", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1871928" }, { "category": "external", "summary": "1873619", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1873619" }, { "category": "external", "summary": "1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5460.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update", "tracking": { "current_release_date": "2024-11-06T01:09:24+00:00", "generator": { "date": "2024-11-06T01:09:24+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:5460", "initial_release_date": "2022-06-30T19:14:26+00:00", "revision_history": [ { "date": "2022-06-30T19:14:26+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-30T19:14:26+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T01:09:24+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "product": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "product_id": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossts@4.17.45-2.Final_redhat_2.1.ep6.el7?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src", "product": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src", "product_id": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossweb@7.5.32-2.Final_redhat_1.2.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-javadocs@7.5.24-1.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-mail@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-threads@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cmp@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-security@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-core-security@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-embedded@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-host-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-picketlink@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxr@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jpa@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-transactions@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-weld@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jacorb@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxrs@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-service@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-network@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ejb3@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-naming@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-connector@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsr77@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-client-all@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-platform-mbean@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-system-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-pojo@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-scanner@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-protocol@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-server@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-webservices@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsf@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-version@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-clustering@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-repository@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-remoting@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-messaging@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-http@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jdr@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-web@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee-deployment@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-management@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-xts@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller-client@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cli@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-modcluster@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-sar@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-logging@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-management-client-content@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-process-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-domain@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-welcome-content-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-product-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-bundles@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-core@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-standalone@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } }, { "category": "product_version", "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_id": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-modules-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "product": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "product_id": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossts@4.17.45-2.Final_redhat_2.1.ep6.el7?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "product": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "product_id": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossweb@7.5.32-2.Final_redhat_1.2.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-javadocs@7.5.24-1.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-mail@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-threads@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cmp@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-security@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-core-security@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-embedded@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-host-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-picketlink@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxr@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jpa@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-transactions@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-weld@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jacorb@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxrs@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-service@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-network@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ejb3@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-naming@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-connector@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsr77@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-client-all@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-platform-mbean@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-system-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-pojo@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-scanner@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-protocol@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-server@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-webservices@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsf@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-version@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-clustering@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-repository@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-remoting@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-messaging@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-http@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jdr@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-web@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee-deployment@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-management@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-xts@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller-client@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cli@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-modcluster@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-sar@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-logging@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-management-client-content@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-process-controller@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-domain@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-welcome-content-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-product-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-bundles@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-core@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-standalone@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_id": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-modules-eap@7.5.24-2.Final_redhat_00001.1.ep6.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch" }, "product_reference": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src" }, "product_reference": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch" }, "product_reference": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src" }, "product_reference": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch" }, "product_reference": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "relates_to_product_reference": "7Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" }, "product_reference": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src", "relates_to_product_reference": "7Server-JBEAP-6.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-13935", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-07-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857024" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8\u0027s Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, there is no entry point for WebSockets, thus it is not possible to trigger the flaw in a supported setup. A future update may fix the code. Similarly, Red Hat OpenStack Platform 13 does not ship with WebSocket functionality enabled by default.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-13935" }, { "category": "external", "summary": "RHBZ#1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-13935", "url": "https://www.cve.org/CVERecord?id=CVE-2020-13935" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935" }, { "category": "external", "summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E", "url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E" }, { "category": "external", "summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7", "url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7" }, { "category": "external", "summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105", "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105" }, { "category": "external", "summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57", "url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57" }, { "category": "external", "summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37", "url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37" } ], "release_date": "2020-07-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS" }, { "cve": "CVE-2020-14384", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1875176" } ], "notes": [ { "category": "description", "text": "A flaw was found in jbossweb. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-14384" }, { "category": "external", "summary": "RHBZ#1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14384", "url": "https://www.cve.org/CVERecord?id=CVE-2020-14384" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384" } ], "release_date": "2020-09-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:14:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7.src", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.noarch", "7Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0527
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Web Server 3.1 for Red Hat Enterprise Linux 7 and Microsoft Windows.\n\nRed Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 14 serves as a replacement for Red Hat JBoss Web Server 3.1 Service Pack 12. This release includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [jws-3] (CVE-2022-23302)\n* log4j-eap6: log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [jws-3] (CVE-2022-23305)\n* log4j-eap6: log4j: Unsafe deserialization flaw in Chainsaw log viewer [jws-3] (CVE-2022-23307)\n* log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [jws-3.1] (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0527", "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0527.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Web Server 3.1 Service Pack 14 security update", "tracking": { "current_release_date": "2024-11-06T00:27:55+00:00", "generator": { "date": "2024-11-06T00:27:55+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0527", "initial_release_date": "2022-02-14T17:30:24+00:00", "revision_history": [ { "date": "2022-02-14T17:30:24+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-14T17:30:24+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:27:55+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Web Server 3.1", "product": { "name": "Red Hat JBoss Web Server 3.1", "product_id": "Red Hat JBoss Web Server 3.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1" } } } ], "category": "product_family", "name": "Red Hat JBoss Web Server" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 3.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:30:24+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 3.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 3.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:30:24+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 3.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 3.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:30:24+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat JBoss Web Server 3.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 3.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Web Server 3.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-14T17:30:24+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.", "product_ids": [ "Red Hat JBoss Web Server 3.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat JBoss Web Server 3.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Web Server 3.1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021_5269
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for rh-maven36-log4j12 is now available for Red Hat Software Collections.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Log4j is a tool to help the programmer output log statements to a variety of output targets.\n\nSecurity Fix(es):\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5269", "url": "https://access.redhat.com/errata/RHSA-2021:5269" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5269.json" } ], "title": "Red Hat Security Advisory: rh-maven36-log4j12 security update", "tracking": { "current_release_date": "2024-11-06T00:17:54+00:00", "generator": { "date": "2024-11-06T00:17:54+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2021:5269", "initial_release_date": "2021-12-22T21:29:25+00:00", "revision_history": [ { "date": "2021-12-22T21:29:25+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-12-22T21:29:25+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:17:54+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Software Collections for RHEL Workstation(v. 7)", "product": { "name": "Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7" } } }, { "category": "product_name", "name": "Red Hat Software Collections for RHEL(v. 7)", "product": { "name": "Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7" } } } ], "category": "product_family", "name": "Red Hat Software Collections" }, { "branches": [ { "category": "product_version", "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "product": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "product_id": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-maven36-log4j12@1.2.17-23.3.el7?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "product": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "product_id": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-maven36-log4j12@1.2.17-23.3.el7?arch=noarch" } } }, { "category": "product_version", "name": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "product": { "name": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "product_id": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-maven36-log4j12-javadoc@1.2.17-23.3.el7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch" }, "product_reference": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src" }, "product_reference": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch as a component of Red Hat Software Collections for RHEL Workstation(v. 7)", "product_id": "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" }, "product_reference": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "relates_to_product_reference": "7Server-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch" }, "product_reference": "rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src" }, "product_reference": "rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "relates_to_product_reference": "7Workstation-RHSCL-3.8" }, { "category": "default_component_of", "full_product_name": { "name": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch as a component of Red Hat Software Collections for RHEL(v. 7)", "product_id": "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" }, "product_reference": "rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "relates_to_product_reference": "7Workstation-RHSCL-3.8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-12-22T21:29:25+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:5269" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Server-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Server-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.noarch", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-0:1.2.17-23.3.el7.src", "7Workstation-RHSCL-3.8:rh-maven36-log4j12-javadoc-0:1.2.17-23.3.el7.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" } ] }
rhsa-2022_0497
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Data Virtualization.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.\n\nThis Service Pack release of Red Hat JBoss Data Virtualization 6.4.8.SP1 (Service Pack 1) serves as a replacement for Red Hat JBoss Data Virtualization 6.4.8, and mitigates the impact of the log4j CVE\u0027s referenced in this document by removing the affected classes from the patch.\n\nNote: customers should update their EAP 6.4 installation with the corresponding security fixes that have been released for that (see RHSA-2022:0437 and https://access.redhat.com/site/solutions/625683)\n\nSecurity Fix(es):\n\n* log4j: deserialization of untrusted data in SocketServer (CVE-2019-17571)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\n* log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0497", "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/" }, { "category": "external", "summary": "1785616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" }, { "category": "external", "summary": "1831139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0497.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.4.8.SP1 security update", "tracking": { "current_release_date": "2024-11-06T00:27:37+00:00", "generator": { "date": "2024-11-06T00:27:37+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0497", "initial_release_date": "2022-02-09T13:11:07+00:00", "revision_history": [ { "date": "2022-02-09T13:11:07+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-09T13:11:07+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:27:37+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Data Virtualization 6.4.8.SP1", "product": { "name": "Red Hat JBoss Data Virtualization 6.4.8.SP1", "product_id": "Red Hat JBoss Data Virtualization 6.4.8.SP1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Data Virtualization" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-17571", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2019-12-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1785616" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: deserialization of untrusted data in SocketServer", "title": "Vulnerability summary" }, { "category": "other", "text": "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-17571" }, { "category": "external", "summary": "RHBZ#1785616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-17571", "url": "https://www.cve.org/CVERecord?id=CVE-2019-17571" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571" } ], "release_date": "2019-12-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: deserialization of untrusted data in SocketServer" }, { "cve": "CVE-2020-9488", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "discovery_date": "2020-04-25T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1831139" } ], "notes": [ { "category": "description", "text": "Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: improper validation of certificate with host mismatch in SMTP appender", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-9488" }, { "category": "external", "summary": "RHBZ#1831139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831139" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-9488", "url": "https://www.cve.org/CVERecord?id=CVE-2020-9488" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9488", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9488" } ], "release_date": "2020-04-25T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "Previous versions can set the system property mail.smtp.ssl.checkserveridentity to true to globally enable hostname verification for SMTPS connections.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: improper validation of certificate with host mismatch in SMTP appender" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-09T13:11:07+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Data Virtualization 6.4.8.SP1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021_5107
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 2023 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.7.40 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5107", "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2021/rhsa-2021_5107.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.7.40 security update", "tracking": { "current_release_date": "2021-12-16T15:00:00Z", "generator": { "date": "2023-07-01T05:18:00Z", "engine": { "name": "Red Hat SDEngine", "version": "3.18.0" } }, "id": "RHSA-2021:5107", "initial_release_date": "2021-12-16T15:00:00Z", "revision_history": [ { "date": "2021-12-16T15:00:00Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.7", "product": { "name": "Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.7::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle:v4.7.0.202112150631.p0.g3959be4.assembly.4.7.40-1", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle:v4.7.0.202112150631.p0.g3959be4.assembly.4.7.40-1", "product_id": "openshift4/ose-metering-ansible-operator-bundle:v4.7.0.202112150631.p0.g3959be4.assembly.4.7.40-1" } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator:v4.7.0-202112150631.p0.g3959be4.assembly.4.7.40", "product": { "name": "openshift4/ose-metering-ansible-operator:v4.7.0-202112150631.p0.g3959be4.assembly.4.7.40", "product_id": "openshift4/ose-metering-ansible-operator:v4.7.0-202112150631.p0.g3959be4.assembly.4.7.40" } }, { "category": "product_version", "name": "openshift4/ose-metering-hadoop:v4.7.0-202112150631.p0.g6046504.assembly.4.7.40", "product": { "name": "openshift4/ose-metering-hadoop:v4.7.0-202112150631.p0.g6046504.assembly.4.7.40", "product_id": "openshift4/ose-metering-hadoop:v4.7.0-202112150631.p0.g6046504.assembly.4.7.40" } }, { "category": "product_version", "name": "openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream", "product": { "name": "openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream", "product_id": "openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream" } }, { "category": "product_version", "name": "openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40", "product": { "name": "openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40", "product_id": "openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40" } } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle:v4.7.0.202112150631.p0.g3959be4.assembly.4.7.40-1 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle:v4.7.0.202112150631.p0.g3959be4.assembly.4.7.40-1" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle:v4.7.0.202112150631.p0.g3959be4.assembly.4.7.40-1", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator:v4.7.0-202112150631.p0.g3959be4.assembly.4.7.40 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator:v4.7.0-202112150631.p0.g3959be4.assembly.4.7.40" }, "product_reference": "openshift4/ose-metering-ansible-operator:v4.7.0-202112150631.p0.g3959be4.assembly.4.7.40", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hadoop:v4.7.0-202112150631.p0.g6046504.assembly.4.7.40 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop:v4.7.0-202112150631.p0.g6046504.assembly.4.7.40" }, "product_reference": "openshift4/ose-metering-hadoop:v4.7.0-202112150631.p0.g6046504.assembly.4.7.40", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream" }, "product_reference": "openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream", "relates_to_product_reference": "8Base-RHOSE-4.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40 as a component of Red Hat OpenShift Container Platform 4.7", "product_id": "8Base-RHOSE-4.7:openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40" }, "product_reference": "openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40", "relates_to_product_reference": "8Base-RHOSE-4.7" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle:v4.7.0.202112150631.p0.g3959be4.assembly.4.7.40-1", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator:v4.7.0-202112150631.p0.g3959be4.assembly.4.7.40", "8Base-RHOSE-4.7:openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop:v4.7.0-202112150631.p0.g6046504.assembly.4.7.40", "8Base-RHOSE-4.7:openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle:v4.7.0.202112150631.p0.g3959be4.assembly.4.7.40-1", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator:v4.7.0-202112150631.p0.g3959be4.assembly.4.7.40", "8Base-RHOSE-4.7:openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" }, { "category": "external", "summary": "CVE-2021-4104", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "bz#2031667: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" } ], "release_date": "2021-12-10T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop:v4.7.0-202112150631.p0.g6046504.assembly.4.7.40", "8Base-RHOSE-4.7:openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40" ], "url": "https://access.redhat.com/errata/RHSA-2021:5107" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop:v4.7.0-202112150631.p0.g6046504.assembly.4.7.40", "8Base-RHOSE-4.7:openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40" ] } ], "threats": [ { "category": "impact", "date": "2021-12-13T00:00:00Z", "details": "Moderate" } ], "title": "Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle:v4.7.0.202112150631.p0.g3959be4.assembly.4.7.40-1", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator:v4.7.0-202112150631.p0.g3959be4.assembly.4.7.40", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop:v4.7.0-202112150631.p0.g6046504.assembly.4.7.40" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream", "8Base-RHOSE-4.7:openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle:v4.7.0.202112150631.p0.g3959be4.assembly.4.7.40-1", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator:v4.7.0-202112150631.p0.g3959be4.assembly.4.7.40", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop:v4.7.0-202112150631.p0.g6046504.assembly.4.7.40" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "bz#2030932: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" } ], "release_date": "2021-12-10T02:01:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream", "8Base-RHOSE-4.7:openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40" ], "url": "https://access.redhat.com/errata/RHSA-2021:5107" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream", "8Base-RHOSE-4.7:openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40" ] } ], "threats": [ { "category": "impact", "date": "2021-12-10T00:00:00Z", "details": "Critical" } ], "title": "Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle:v4.7.0.202112150631.p0.g3959be4.assembly.4.7.40-1", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator:v4.7.0-202112150631.p0.g3959be4.assembly.4.7.40", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop:v4.7.0-202112150631.p0.g6046504.assembly.4.7.40" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream", "8Base-RHOSE-4.7:openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40" ], "known_not_affected": [ "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator-bundle:v4.7.0.202112150631.p0.g3959be4.assembly.4.7.40-1", "8Base-RHOSE-4.7:openshift4/ose-metering-ansible-operator:v4.7.0-202112150631.p0.g3959be4.assembly.4.7.40", "8Base-RHOSE-4.7:openshift4/ose-metering-hadoop:v4.7.0-202112150631.p0.g6046504.assembly.4.7.40" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "CVE-2021-45046", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "bz#2032580: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" } ], "release_date": "2021-12-14T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.7 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream", "8Base-RHOSE-4.7:openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40" ], "url": "https://access.redhat.com/errata/RHSA-2021:5107" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.7:openshift4/ose-metering-hive:v4.7.0-202112140553.p0.g091bb99.assembly.stream", "8Base-RHOSE-4.7:openshift4/ose-metering-presto:v4.7.0-202112150631.p0.gd502108.assembly.4.7.40" ] } ], "threats": [ { "category": "impact", "date": "2021-12-14T00:00:00Z", "details": "Moderate" } ], "title": "DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
rhsa-2022_0445
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A new image is available for Red Hat Single Sign-On 7.4.10 on OpenJ9, running on OpenShift Container Platform 3.10 and 3.11, and 4.3.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.4.10 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.3 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0445", "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2059", "url": "https://issues.redhat.com/browse/CIAM-2059" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0445.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.4.10 on OpenJ9 for OpenShift image security update", "tracking": { "current_release_date": "2024-11-06T00:26:40+00:00", "generator": { "date": "2024-11-06T00:26:40+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0445", "initial_release_date": "2022-02-07T14:22:21+00:00", "revision_history": [ { "date": "2022-02-07T14:22:21+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T14:22:22+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:26:40+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Middleware Containers for OpenShift", "product": { "name": "Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhosemc:1.0::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x", "product": { "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x", "product_id": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x", "product_identification_helper": { "purl": "pkg:oci/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8?arch=s390x\u0026repository_url=registry.redhat.io/rh-sso-7/sso74-openj9-openshift-rhel8\u0026tag=7.4-60" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "product": { "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "product_id": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "product_identification_helper": { "purl": "pkg:oci/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96?arch=ppc64le\u0026repository_url=registry.redhat.io/rh-sso-7/sso74-openj9-openshift-rhel8\u0026tag=7.4-60" } } } ], "category": "architecture", "name": "ppc64le" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le" }, "product_reference": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "relates_to_product_reference": "8Base-RHOSE-Middleware" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" }, "product_reference": "rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x", "relates_to_product_reference": "8Base-RHOSE-Middleware" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:22:21+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\\nsso74-https.json \\\nsso74-mysql.json \\\nsso74-mysql-persistent.json \\\nsso74-postgresql.json \\\nsso74-postgresql-persistent.json \\\nsso74-x509-https.json \\\nsso74-x509-mysql-persistent.json \\\nsso74-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:22:21+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\\nsso74-https.json \\\nsso74-mysql.json \\\nsso74-mysql-persistent.json \\\nsso74-postgresql.json \\\nsso74-postgresql-persistent.json \\\nsso74-x509-https.json \\\nsso74-x509-mysql-persistent.json \\\nsso74-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:22:21+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\\nsso74-https.json \\\nsso74-mysql.json \\\nsso74-mysql-persistent.json \\\nsso74-postgresql.json \\\nsso74-postgresql-persistent.json \\\nsso74-x509-https.json \\\nsso74-x509-mysql-persistent.json \\\nsso74-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T14:22:21+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\\nsso74-https.json \\\nsso74-mysql.json \\\nsso74-mysql-persistent.json \\\nsso74-postgresql.json \\\nsso74-postgresql-persistent.json \\\nsso74-x509-https.json \\\nsso74-x509-mysql-persistent.json \\\nsso74-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:86c46ee4bb87dbd0d2d72e694643a36ea8276862059d9fd520f2267b3d80ea96_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso74-openj9-openshift-rhel8@sha256:d147c183a21369cd9dd7d15aa468ba9df34dfa58bb80f7f3d84561d3c33d17c8_s390x" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0447
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "New Red Hat Single Sign-On 7.5.1 packages are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.5.1 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* undertow: client side invocation timeout raised when calling over HTTP and HTTP2 (CVE-2021-3859)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSSink (CVE-2022-23302)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use\nJDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0447", "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/", "url": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/" }, { "category": "external", "summary": "2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-1976", "url": "https://issues.redhat.com/browse/CIAM-1976" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0447.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update on RHEL 7", "tracking": { "current_release_date": "2024-11-06T00:26:07+00:00", "generator": { "date": "2024-11-06T00:26:07+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0447", "initial_release_date": "2022-02-07T13:55:22+00:00", "revision_history": [ { "date": "2022-02-07T13:55:22+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:55:22+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:26:07+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product": { "name": "Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.5", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el7" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "product": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el7sso?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el7sso?arch=noarch" } } }, { "category": "product_version", "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product": { "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product_id": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@15.0.4-1.redhat_00003.1.el7sso?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch" }, "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "relates_to_product_reference": "7Server-RHSSO-7.5" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src as a component of Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src" }, "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "relates_to_product_reference": "7Server-RHSSO-7.5" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" }, "product_reference": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "relates_to_product_reference": "7Server-RHSSO-7.5" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3859", "cwe": { "id": "CWE-214", "name": "Invocation of Process Using Visible Sensitive Information" }, "discovery_date": "2021-09-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2010378" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: client side invocation timeout raised when calling over HTTP2", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3859" }, { "category": "external", "summary": "RHBZ#2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3859", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3859" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859" } ], "release_date": "2022-02-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: client side invocation timeout raised when calling over HTTP2" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:55:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.noarch", "7Server-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el7sso.src", "7Server-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_5459
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.24 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.23 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 6.4.24 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n\n* jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS (CVE-2020-14384)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:5459", "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/html-single/installation_guide/index" }, { "category": "external", "summary": "1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "1871928", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1871928" }, { "category": "external", "summary": "1873620", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1873620" }, { "category": "external", "summary": "1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5459.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update", "tracking": { "current_release_date": "2024-11-06T01:09:33+00:00", "generator": { "date": "2024-11-06T01:09:33+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:5459", "initial_release_date": "2022-06-30T19:00:12+00:00", "revision_history": [ { "date": "2022-06-30T19:00:12+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-06-30T19:00:12+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T01:09:33+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product": { "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "product": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "product_id": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossts@4.17.45-2.Final_redhat_2.1.ep6.el6?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src", "product": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src", "product_id": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossweb@7.5.32-2.Final_redhat_1.2.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-javadocs@7.5.24-1.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-sar@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee-deployment@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-messaging@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-host-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-management@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-process-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jpa@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-threads@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxr@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-version@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jdr@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-server@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-pojo@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-clustering@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-http@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-weld@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-naming@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller-client@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-webservices@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cli@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-system-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-logging@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-embedded@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-modcluster@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-network@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-platform-mbean@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ejb3@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-web@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-security@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-core-security@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-client-all@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-management-client-content@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-protocol@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-scanner@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cmp@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-service@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-mail@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-connector@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxrs@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsr77@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsf@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-remoting@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-transactions@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-picketlink@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jacorb@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-xts@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-repository@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-bundles@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-welcome-content-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-product-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-domain@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-standalone@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-core@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } }, { "category": "product_version", "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_id": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-modules-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "product": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "product_id": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossts@4.17.45-2.Final_redhat_2.1.ep6.el6?arch=noarch\u0026epoch=1" } } }, { "category": "product_version", "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "product": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "product_id": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossweb@7.5.32-2.Final_redhat_1.2.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-javadocs@7.5.24-1.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-sar@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee-deployment@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ee@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-messaging@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-host-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-management@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-process-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jpa@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-threads@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxr@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-version@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-configadmin@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jdr@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-server@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-pojo@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-clustering@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-domain-http@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-weld@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-naming@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller-client@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-webservices@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cli@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-system-jmx@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-logging@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-embedded@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-modcluster@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-network@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-platform-mbean@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-ejb3@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-web@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-security@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-core-security@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-client-all@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-management-client-content@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-protocol@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-scanner@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-cmp@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-osgi-service@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-mail@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-connector@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jaxrs@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsr77@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jsf@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-remoting@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-transactions@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-picketlink@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-jacorb@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-xts@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-controller@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jboss-as-deployment-repository@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-appclient@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-bundles@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-welcome-content-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-product-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-domain@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-standalone@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-core@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } }, { "category": "product_version", "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_id": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jbossas-modules-eap@7.5.24-2.Final_redhat_00001.1.ep6.el6?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch" }, "product_reference": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src" }, "product_reference": "jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch" }, "product_reference": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src" }, "product_reference": "jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch" }, "product_reference": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "relates_to_product_reference": "6Server-JBEAP-6.4" }, { "category": "default_component_of", "full_product_name": { "name": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server", "product_id": "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" }, "product_reference": "jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src", "relates_to_product_reference": "6Server-JBEAP-6.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-13935", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-07-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1857024" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8\u0027s Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, there is no entry point for WebSockets, thus it is not possible to trigger the flaw in a supported setup. A future update may fix the code. Similarly, Red Hat OpenStack Platform 13 does not ship with WebSocket functionality enabled by default.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-13935" }, { "category": "external", "summary": "RHBZ#1857024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1857024" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-13935", "url": "https://www.cve.org/CVERecord?id=CVE-2020-13935" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13935" }, { "category": "external", "summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E", "url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E" }, { "category": "external", "summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7", "url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7" }, { "category": "external", "summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105", "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105" }, { "category": "external", "summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57", "url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57" }, { "category": "external", "summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37", "url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37" } ], "release_date": "2020-07-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS" }, { "cve": "CVE-2020-14384", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2020-09-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1875176" } ], "notes": [ { "category": "description", "text": "A flaw was found in jbossweb. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-14384" }, { "category": "external", "summary": "RHBZ#1875176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875176" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14384", "url": "https://www.cve.org/CVERecord?id=CVE-2020-14384" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14384" } ], "release_date": "2020-09-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-06-30T19:00:12+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6.src", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.noarch", "6Server-JBEAP-6.4:jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0289
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0289", "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0289.json" } ], "title": "Red Hat Security Advisory: parfait:0.5 security update", "tracking": { "current_release_date": "2024-11-06T00:23:01+00:00", "generator": { "date": "2024-11-06T00:23:01+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0289", "initial_release_date": "2022-01-26T14:57:42+00:00", "revision_history": [ { "date": "2022-01-26T14:57:42+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-26T14:57:42+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:23:01+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product": { "name": "Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_eus:8.4::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "parfait:0.5:8040020220124230039:d304d9ed", "product": { "name": "parfait:0.5:8040020220124230039:d304d9ed", "product_id": "parfait:0.5:8040020220124230039:d304d9ed", "product_identification_helper": { "purl": "pkg:rpmmod/redhat/parfait@0.5:8040020220124230039:d304d9ed" } } }, { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product": { "name": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_id": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=noarch" } } }, { "category": "product_version", "name": "parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product": { "name": "parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_id": "parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-examples@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=noarch" } } }, { "category": "product_version", "name": "parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_id": "parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-javadoc@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=noarch" } } }, { "category": "product_version", "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_id": "pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcp-parfait-agent@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=noarch" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units-javadoc@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api-javadoc@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib-javadoc@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se-javadoc@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems-javadoc@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "product": { "name": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "product_id": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.4.0%2B13998%2B1b70e2b7?arch=src" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, "product_reference": "parfait:0.5:8040020220124230039:d304d9ed", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch" }, "product_reference": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src" }, "product_reference": "parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch" }, "product_reference": "parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch" }, "product_reference": "parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch" }, "product_reference": "pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8040020220124230039:d304d9ed as a component of Red Hat Enterprise Linux AppStream EUS (v.8.4)", "product_id": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:57:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:57:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:57:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:57:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-examples-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:parfait-javadoc-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:pcp-parfait-agent-0:0.5.4-4.module+el8.4.0+13998+1b70e2b7.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.4.0.Z.EUS:parfait:0.5:8040020220124230039:d304d9ed:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0444
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A new image is available for Red Hat Single Sign-On 7.4.10 on OpenJDK, running on OpenShift Container Platform 3.10 and 3.11, and 4.3.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.4.10 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.3 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0444", "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-2060", "url": "https://issues.redhat.com/browse/CIAM-2060" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0444.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.4.10 on OpenJDK for OpenShift image security update", "tracking": { "current_release_date": "2024-11-06T00:26:24+00:00", "generator": { "date": "2024-11-06T00:26:24+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0444", "initial_release_date": "2022-02-07T13:41:18+00:00", "revision_history": [ { "date": "2022-02-07T13:41:18+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:41:18+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:26:24+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Middleware Containers for OpenShift", "product": { "name": "Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhosemc:1.0::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64", "product": { "name": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64", "product_id": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64", "product_identification_helper": { "purl": "pkg:oci/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b?arch=amd64\u0026repository_url=registry.redhat.io/rh-sso-7/sso74-openshift-rhel8\u0026tag=7.4-45" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64 as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" }, "product_reference": "rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64", "relates_to_product_reference": "8Base-RHOSE-Middleware" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:41:18+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\ sso74-https.json \\ sso74-mysql.json \\ sso74-mysql-persistent.json \\ sso74-postgresql.json \\ sso74-postgresql-persistent.json \\ sso74-x509-https.json \\ sso74-x509-mysql-persistent.json \\ sso74-x509-postgresql-persistent.json do oc replace -n openshift --force -f \\ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource} done\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:41:18+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\ sso74-https.json \\ sso74-mysql.json \\ sso74-mysql-persistent.json \\ sso74-postgresql.json \\ sso74-postgresql-persistent.json \\ sso74-x509-https.json \\ sso74-x509-mysql-persistent.json \\ sso74-x509-postgresql-persistent.json do oc replace -n openshift --force -f \\ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource} done\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:41:18+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\ sso74-https.json \\ sso74-mysql.json \\ sso74-mysql-persistent.json \\ sso74-postgresql.json \\ sso74-postgresql-persistent.json \\ sso74-x509-https.json \\ sso74-x509-mysql-persistent.json \\ sso74-x509-postgresql-persistent.json do oc replace -n openshift --force -f \\ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource} done\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:41:18+00:00", "details": "To update to the latest Red Hat Single Sign-On 7.4.10 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso74-image-stream.json \\ sso74-https.json \\ sso74-mysql.json \\ sso74-mysql-persistent.json \\ sso74-postgresql.json \\ sso74-postgresql-persistent.json \\ sso74-x509-https.json \\ sso74-x509-mysql-persistent.json \\ sso74-x509-postgresql-persistent.json do oc replace -n openshift --force -f \\ https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.4.10.GA/templates/${resource} done\n\n3. Install the Red Hat Single Sign-On 7.4.10 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso74-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso74-openshift-rhel8@sha256:7f4c56719e377215a4f2d2526c3974def6e9a02093fd6a8cf3473bcd500e620b_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0450
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 2023 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A new image is available for Red Hat Single Sign-On 7.5.1, running on OpenShift Container Platform 3.10 and 3.11, and 4.9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.5.1 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.9 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0450", "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2022/rhsa-2022_0450.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 for OpenShift image security and enhancement update", "tracking": { "current_release_date": "2022-02-07T14:45:00Z", "generator": { "date": "2023-07-01T05:19:00Z", "engine": { "name": "Red Hat SDEngine", "version": "3.18.0" } }, "id": "RHSA-2022:0450", "initial_release_date": "2022-02-07T14:45:00Z", "revision_history": [ { "date": "2022-02-07T14:45:00Z", "number": "1", "summary": "Current version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Middleware Containers for OpenShift", "product": { "name": "Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhosemc:1.0::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "category": "product_version", "name": "rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "product": { "name": "rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "product_id": "rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9" } }, { "category": "product_version", "name": "rh-sso-7/sso75-openshift-rhel8:7.5-17", "product": { "name": "rh-sso-7/sso75-openshift-rhel8:7.5-17", "product_id": "rh-sso-7/sso75-openshift-rhel8:7.5-17" } } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9 as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9" }, "product_reference": "rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "relates_to_product_reference": "8Base-RHOSE-Middleware" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso75-openshift-rhel8:7.5-17 as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" }, "product_reference": "rh-sso-7/sso75-openshift-rhel8:7.5-17", "relates_to_product_reference": "8Base-RHOSE-Middleware" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00Z", "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" }, { "category": "external", "summary": "CVE-2021-4104", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "bz#2031667: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" } ], "release_date": "2021-12-10T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ], "url": "https://access.redhat.com/errata/RHSA-2022:0450" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ] } ], "threats": [ { "category": "impact", "date": "2021-12-13T00:00:00Z", "details": "Moderate" } ], "title": "Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00Z", "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" }, { "category": "external", "summary": "CVE-2022-23302", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "bz#2041949: CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" } ], "release_date": "2022-01-18T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ], "url": "https://access.redhat.com/errata/RHSA-2022:0450" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ] } ], "threats": [ { "category": "impact", "date": "2022-01-18T00:00:00Z", "details": "Moderate" } ], "title": "CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00Z", "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" }, { "category": "external", "summary": "CVE-2022-23305", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "bz#2041959: CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" } ], "release_date": "2022-01-18T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ], "url": "https://access.redhat.com/errata/RHSA-2022:0450" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ] } ], "threats": [ { "category": "impact", "date": "2022-01-18T00:00:00Z", "details": "Important" } ], "title": "CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00Z", "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" }, { "category": "external", "summary": "CVE-2022-23307", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "bz#2041967: CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" } ], "release_date": "2022-01-18T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "To update to the latest Red Hat Single Sign-On 7.5.1 for OpenShift image, Follow these steps to pull in the content:\n\n1. On your master hosts, ensure you are logged into the CLI as a cluster administrator or user with project administrator access to the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift in the \"openshift\" project by running the following commands:\n\n$ for resource in sso75-image-stream.json \\\nsso75-https.json \\\nsso75-mysql.json \\\nsso75-mysql-persistent.json \\\nsso75-postgresql.json \\\nsso75-postgresql-persistent.json \\\nsso75-x509-https.json \\\nsso75-x509-mysql-persistent.json \\\nsso75-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.5.1.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.5.1 for OpenShift streams in the \"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso75-openshift:1.0", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ], "url": "https://access.redhat.com/errata/RHSA-2022:0450" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle:7.5.1-9", "8Base-RHOSE-Middleware:rh-sso-7/sso75-openshift-rhel8:7.5-17" ] } ], "threats": [ { "category": "impact", "date": "2022-01-18T00:00:00Z", "details": "Important" } ], "title": "CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0437
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Enterprise Application Platform 6.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis asynchronous patch is an update for JBoss Enterprise Application Platform 6.4. All users of Red Hat JBoss Enterprise Application Platform 6.4 are advised to upgrade to this updated package.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0437", "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0437.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4 security update", "tracking": { "current_release_date": "2024-11-06T00:26:11+00:00", "generator": { "date": "2024-11-06T00:26:11+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0437", "initial_release_date": "2022-02-03T18:43:46+00:00", "revision_history": [ { "date": "2022-02-03T18:43:46+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T18:43:46+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:26:11+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 6.4 log4j async", "product": { "name": "EAP 6.4 log4j async", "product_id": "EAP 6.4 log4j async", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:43:46+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 6.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:43:46+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 6.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:43:46+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 6.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 6.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:43:46+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 6.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 6.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 6.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0475
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "The ovirt-engine package provides the manager for virtualization environments.\nThis manager enables admins to define hosts and networks, as well as to add\nstorage, create VMs and manage user permissions.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\nBug Fix(es):\n\n* With this release, the ovirt-engine-extension-logger-log4j package has been removed. It is replaced by an internal ovirt-engine implementation. \n\nWhen upgrading from earlier Red Hat Virtualization versions to RHV 4.4.10, the ovirt-engine-extension-logger-log4j package is uninstalled if it is present. If you used the ovirt-engine-extension-logger-log4j in earlier Red Hat Virtualization versions, you must manually remove the ovirt-engine-extension-logger-log4j configuration files and configure the new feature for sending log records to a remote syslog service, as outlined in the Administration Guide.\n\nAfter a successful upgrade to RHV 4.4.10, you can uninstall log4j12 without breaking the Red Hat Virtualization setup by running the following command: `$ dnf remove log4j12`. (BZ#2044277)\n\n* Previously, when preparing a host with FIPS kernel parameters enabled, the boot UUID parameter was blank after reboot. In this release, the UUID is present in the kernel arguments. Enabling FIPS does not change the UUID after reboot. (BZ#2013430)\n\n* Because installing the self-hosted engine with Cockpit is deprecated, the \u0027Installing Red Hat Virtualization as a self-hosted engine using the Cockpit web interface\u0027 link\non the Red Hat Virtualization Administration Portal login page has been replaced with the \"Installing Red Hat Virtualization as a self-hosted engine using the command line\" link. (BZ#1992476)\n\n* In this release, Red Hat Virtualization 4.4.10 requires snmp4j version 3.6.4 or later, which no longer depends on the log4j library. (BZ#2044257)", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0475", "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "1992476", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1992476" }, { "category": "external", "summary": "2013430", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2013430" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "2044257", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044257" }, { "category": "external", "summary": "2044277", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044277" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0475.json" } ], "title": "Red Hat Security Advisory: RHV Manager (ovirt-engine) security update [ovirt-4.4.10-1]", "tracking": { "current_release_date": "2024-11-06T00:27:27+00:00", "generator": { "date": "2024-11-06T00:27:27+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0475", "initial_release_date": "2022-02-08T17:00:26+00:00", "revision_history": [ { "date": "2022-02-08T17:00:26+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-08T17:00:26+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:27:27+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product": { "name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhev_manager:4.4:el8" } } } ], "category": "product_family", "name": "Red Hat Virtualization" }, { "branches": [ { "category": "product_version", "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "product": { "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "product_id": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm-branding-rhv@4.4.10-1.el8ev?arch=src" } } }, { "category": "product_version", "name": "snmp4j-0:3.6.4-0.1.el8ev.src", "product": { "name": "snmp4j-0:3.6.4-0.1.el8ev.src", "product_id": "snmp4j-0:3.6.4-0.1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/snmp4j@3.6.4-0.1.el8ev?arch=src" } } }, { "category": "product_version", "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "product": { "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "product_id": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine@4.4.10.6-0.1.el8ev?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "product": { "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "product_id": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm-branding-rhv@4.4.10-1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "snmp4j-0:3.6.4-0.1.el8ev.noarch", "product": { "name": "snmp4j-0:3.6.4-0.1.el8ev.noarch", "product_id": "snmp4j-0:3.6.4-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/snmp4j@3.6.4-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch", "product": { "name": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch", "product_id": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/snmp4j-javadoc@3.6.4-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-backend@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-dbscripts@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-health-check-bundler@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-restapi@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-base@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-cinderlib@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-imageio@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine-common@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-vmconsole-proxy-helper@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-websocket-proxy@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-tools@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-tools-backup@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-vmconsole-proxy-helper@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-webadmin-portal@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ovirt-engine-websocket-proxy@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/python3-ovirt-engine-lib@4.4.10.6-0.1.el8ev?arch=noarch" } } }, { "category": "product_version", "name": "rhvm-0:4.4.10.6-0.1.el8ev.noarch", "product": { "name": "rhvm-0:4.4.10.6-0.1.el8ev.noarch", "product_id": "rhvm-0:4.4.10.6-0.1.el8ev.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhvm@4.4.10.6-0.1.el8ev?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src" }, "product_reference": "ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-0:4.4.10.6-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch" }, "product_reference": "rhvm-0:4.4.10.6-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch" }, "product_reference": "rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" }, "product_reference": "rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "snmp4j-0:3.6.4-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch" }, "product_reference": "snmp4j-0:3.6.4-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "snmp4j-0:3.6.4-0.1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src" }, "product_reference": "snmp4j-0:3.6.4-0.1.el8ev.src", "relates_to_product_reference": "8Base-RHV-S-4.4" }, { "category": "default_component_of", "full_product_name": { "name": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4", "product_id": "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" }, "product_reference": "snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch", "relates_to_product_reference": "8Base-RHV-S-4.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T17:00:26+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T17:00:26+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T17:00:26+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "known_not_affected": [ "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-08T17:00:26+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-branding-rhv-0:4.4.10-1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-0:4.4.10.6-0.1.el8ev.src", "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:rhvm-0:4.4.10.6-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.noarch", "8Base-RHV-S-4.4:snmp4j-0:3.6.4-0.1.el8ev.src", "8Base-RHV-S-4.4:snmp4j-javadoc-0:3.6.4-0.1.el8ev.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0661
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A minor version update (from 7.10 to 7.10.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "This release of Red Hat Fuse 7.10.1 serves as a replacement for Red Hat Fuse 7.10, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0661", "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0661.json" } ], "title": "Red Hat Security Advisory: Red Hat Fuse 7.10.1 release and security update", "tracking": { "current_release_date": "2024-11-06T00:31:10+00:00", "generator": { "date": "2024-11-06T00:31:10+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0661", "initial_release_date": "2022-02-23T14:06:23+00:00", "revision_history": [ { "date": "2022-02-23T14:06:23+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-23T14:06:23+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:31:10+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Fuse 7.10.1", "product": { "name": "Red Hat Fuse 7.10.1", "product_id": "Red Hat Fuse 7.10.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_fuse:7" } } } ], "category": "product_family", "name": "Red Hat JBoss Fuse" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-23T14:06:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.10 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", "product_ids": [ "Red Hat Fuse 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Fuse 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-23T14:06:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.10 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", "product_ids": [ "Red Hat Fuse 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "Red Hat Fuse 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-23T14:06:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.10 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", "product_ids": [ "Red Hat Fuse 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "Red Hat Fuse 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Fuse 7.10.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-23T14:06:23+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are available from the Fuse 7.10 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", "product_ids": [ "Red Hat Fuse 7.10.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "Red Hat Fuse 7.10.1" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Fuse 7.10.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2021_5148
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 2023 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.8.24 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact\nof Critical. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:5148", "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2021/rhsa-2021_5148.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.8.24 extras security update", "tracking": { "current_release_date": "2021-12-16T16:08:00Z", "generator": { "date": "2023-07-01T05:16:00Z", "engine": { "name": "Red Hat SDEngine", "version": "3.18.0" } }, "id": "RHSA-2021:5148", "initial_release_date": "2021-12-15T20:09:00Z", "revision_history": [ { "date": "2021-12-16T16:08:00Z", "number": "2", "summary": "Current version" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.8", "product": { "name": "Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.8::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator-bundle:v4.8.0.202112150431.p0.g0d7ecfb.assembly.art3599-1", "product": { "name": "openshift4/ose-metering-ansible-operator-bundle:v4.8.0.202112150431.p0.g0d7ecfb.assembly.art3599-1", "product_id": "openshift4/ose-metering-ansible-operator-bundle:v4.8.0.202112150431.p0.g0d7ecfb.assembly.art3599-1" } }, { "category": "product_version", "name": "openshift4/ose-metering-ansible-operator:v4.8.0-202112150431.p0.g0d7ecfb.assembly.art3599", "product": { "name": "openshift4/ose-metering-ansible-operator:v4.8.0-202112150431.p0.g0d7ecfb.assembly.art3599", "product_id": "openshift4/ose-metering-ansible-operator:v4.8.0-202112150431.p0.g0d7ecfb.assembly.art3599" } }, { "category": "product_version", "name": "openshift4/ose-metering-hadoop:v4.8.0-202112150431.p0.gebd9cb4.assembly.art3599", "product": { "name": "openshift4/ose-metering-hadoop:v4.8.0-202112150431.p0.gebd9cb4.assembly.art3599", "product_id": "openshift4/ose-metering-hadoop:v4.8.0-202112150431.p0.gebd9cb4.assembly.art3599" } }, { "category": "product_version", "name": "openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599", "product": { "name": "openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599", "product_id": "openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599" } } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator-bundle:v4.8.0.202112150431.p0.g0d7ecfb.assembly.art3599-1 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle:v4.8.0.202112150431.p0.g0d7ecfb.assembly.art3599-1" }, "product_reference": "openshift4/ose-metering-ansible-operator-bundle:v4.8.0.202112150431.p0.g0d7ecfb.assembly.art3599-1", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-ansible-operator:v4.8.0-202112150431.p0.g0d7ecfb.assembly.art3599 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator:v4.8.0-202112150431.p0.g0d7ecfb.assembly.art3599" }, "product_reference": "openshift4/ose-metering-ansible-operator:v4.8.0-202112150431.p0.g0d7ecfb.assembly.art3599", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-hadoop:v4.8.0-202112150431.p0.gebd9cb4.assembly.art3599 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop:v4.8.0-202112150431.p0.gebd9cb4.assembly.art3599" }, "product_reference": "openshift4/ose-metering-hadoop:v4.8.0-202112150431.p0.gebd9cb4.assembly.art3599", "relates_to_product_reference": "8Base-RHOSE-4.8" }, { "category": "default_component_of", "full_product_name": { "name": "openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599 as a component of Red Hat OpenShift Container Platform 4.8", "product_id": "8Base-RHOSE-4.8:openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599" }, "product_reference": "openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599", "relates_to_product_reference": "8Base-RHOSE-4.8" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle:v4.8.0.202112150431.p0.g0d7ecfb.assembly.art3599-1", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator:v4.8.0-202112150431.p0.g0d7ecfb.assembly.art3599" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop:v4.8.0-202112150431.p0.gebd9cb4.assembly.art3599", "8Base-RHOSE-4.8:openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle:v4.8.0.202112150431.p0.g0d7ecfb.assembly.art3599-1", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator:v4.8.0-202112150431.p0.g0d7ecfb.assembly.art3599" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" }, { "category": "external", "summary": "CVE-2021-4104", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "bz#2031667: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" } ], "release_date": "2021-12-10T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop:v4.8.0-202112150431.p0.gebd9cb4.assembly.art3599", "8Base-RHOSE-4.8:openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599" ], "url": "https://access.redhat.com/errata/RHSA-2021:5148" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop:v4.8.0-202112150431.p0.gebd9cb4.assembly.art3599", "8Base-RHOSE-4.8:openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599" ] } ], "threats": [ { "category": "impact", "date": "2021-12-13T00:00:00Z", "details": "Moderate" } ], "title": "Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44228", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-10T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle:v4.8.0.202112150431.p0.g0d7ecfb.assembly.art3599-1", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator:v4.8.0-202112150431.p0.g0d7ecfb.assembly.art3599", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop:v4.8.0-202112150431.p0.gebd9cb4.assembly.art3599" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle:v4.8.0.202112150431.p0.g0d7ecfb.assembly.art3599-1", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator:v4.8.0-202112150431.p0.g0d7ecfb.assembly.art3599", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop:v4.8.0-202112150431.p0.gebd9cb4.assembly.art3599" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q", "url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/", "url": "https://www.lunasec.io/docs/blog/log4j-zero-day/" }, { "category": "external", "summary": "CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "bz#2030932: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932" } ], "release_date": "2021-12-10T02:01:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599" ], "url": "https://access.redhat.com/errata/RHSA-2021:5148" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599" ] } ], "threats": [ { "category": "impact", "date": "2021-12-10T00:00:00Z", "details": "Critical" } ], "title": "Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00Z", "flags": [ { "label": "component_not_present", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle:v4.8.0.202112150431.p0.g0d7ecfb.assembly.art3599-1", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator:v4.8.0-202112150431.p0.g0d7ecfb.assembly.art3599", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop:v4.8.0-202112150431.p0.gebd9cb4.assembly.art3599" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla", "text": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" } ], "notes": [ { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599" ], "known_not_affected": [ "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator-bundle:v4.8.0.202112150431.p0.g0d7ecfb.assembly.art3599-1", "8Base-RHOSE-4.8:openshift4/ose-metering-ansible-operator:v4.8.0-202112150431.p0.g0d7ecfb.assembly.art3599", "8Base-RHOSE-4.8:openshift4/ose-metering-hadoop:v4.8.0-202112150431.p0.gebd9cb4.assembly.art3599" ] }, "references": [ { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "CVE-2021-45046", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "bz#2032580: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" } ], "release_date": "2021-12-14T00:00:00Z", "remediations": [ { "category": "vendor_fix", "details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "product_ids": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599" ], "url": "https://access.redhat.com/errata/RHSA-2021:5148" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-4.8:openshift4/ose-metering-presto:v4.8.0-202112150431.p0.g4b934ae.assembly.art3599" ] } ], "threats": [ { "category": "impact", "date": "2021-12-14T00:00:00Z", "details": "Moderate" } ], "title": "DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" } ] }
rhsa-2022_0435
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0435", "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0435.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update", "tracking": { "current_release_date": "2024-11-06T00:26:18+00:00", "generator": { "date": "2024-11-06T00:26:18+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0435", "initial_release_date": "2022-02-03T18:23:56+00:00", "revision_history": [ { "date": "2022-02-03T18:23:56+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T18:23:56+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:26:18+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 7.4 log4j async", "product": { "name": "EAP 7.4 log4j async", "product_id": "EAP 7.4 log4j async", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:23:56+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:23:56+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:23:56+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4 log4j async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:23:56+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4 log4j async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 7.4 log4j async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4 log4j async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_1299
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.3 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)\n\n* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern (CVE-2021-45105)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:1299", "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#low", "url": "https://access.redhat.com/security/updates/classification/#low" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "JBEAP-22105", "url": "https://issues.redhat.com/browse/JBEAP-22105" }, { "category": "external", "summary": "JBEAP-22385", "url": "https://issues.redhat.com/browse/JBEAP-22385" }, { "category": "external", "summary": "JBEAP-22731", "url": "https://issues.redhat.com/browse/JBEAP-22731" }, { "category": "external", "summary": "JBEAP-22738", "url": "https://issues.redhat.com/browse/JBEAP-22738" }, { "category": "external", "summary": "JBEAP-22819", "url": "https://issues.redhat.com/browse/JBEAP-22819" }, { "category": "external", "summary": "JBEAP-22839", "url": "https://issues.redhat.com/browse/JBEAP-22839" }, { "category": "external", "summary": "JBEAP-22864", "url": "https://issues.redhat.com/browse/JBEAP-22864" }, { "category": "external", "summary": "JBEAP-22904", "url": "https://issues.redhat.com/browse/JBEAP-22904" }, { "category": "external", "summary": "JBEAP-22911", "url": "https://issues.redhat.com/browse/JBEAP-22911" }, { "category": "external", "summary": "JBEAP-22912", "url": "https://issues.redhat.com/browse/JBEAP-22912" }, { "category": "external", "summary": "JBEAP-22913", "url": "https://issues.redhat.com/browse/JBEAP-22913" }, { "category": "external", "summary": "JBEAP-22935", "url": "https://issues.redhat.com/browse/JBEAP-22935" }, { "category": "external", "summary": "JBEAP-22945", "url": "https://issues.redhat.com/browse/JBEAP-22945" }, { "category": "external", "summary": "JBEAP-22973", "url": "https://issues.redhat.com/browse/JBEAP-22973" }, { "category": "external", "summary": "JBEAP-23038", "url": "https://issues.redhat.com/browse/JBEAP-23038" }, { "category": "external", "summary": "JBEAP-23040", "url": "https://issues.redhat.com/browse/JBEAP-23040" }, { "category": "external", "summary": "JBEAP-23045", "url": "https://issues.redhat.com/browse/JBEAP-23045" }, { "category": "external", "summary": "JBEAP-23101", "url": "https://issues.redhat.com/browse/JBEAP-23101" }, { "category": "external", "summary": "JBEAP-23105", "url": "https://issues.redhat.com/browse/JBEAP-23105" }, { "category": "external", "summary": "JBEAP-23143", "url": "https://issues.redhat.com/browse/JBEAP-23143" }, { "category": "external", "summary": "JBEAP-23177", "url": "https://issues.redhat.com/browse/JBEAP-23177" }, { "category": "external", "summary": "JBEAP-23323", "url": "https://issues.redhat.com/browse/JBEAP-23323" }, { "category": "external", "summary": "JBEAP-23373", "url": "https://issues.redhat.com/browse/JBEAP-23373" }, { "category": "external", "summary": "JBEAP-23374", "url": "https://issues.redhat.com/browse/JBEAP-23374" }, { "category": "external", "summary": "JBEAP-23375", "url": "https://issues.redhat.com/browse/JBEAP-23375" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_1299.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update", "tracking": { "current_release_date": "2024-11-06T00:39:49+00:00", "generator": { "date": "2024-11-06T00:39:49+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:1299", "initial_release_date": "2022-04-11T13:00:49+00:00", "revision_history": [ { "date": "2022-04-11T13:00:49+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-04-11T13:00:49+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:39:49+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "EAP 7.4.4 release", "product": { "name": "EAP 7.4.4 release", "product_id": "EAP 7.4.4 release", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2021-44832", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2035951" } ], "notes": [ { "category": "description", "text": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: remote code execution via JDBC Appender", "title": "Vulnerability summary" }, { "category": "other", "text": "Log4j 1.x is not impacted by this vulnerability. Therefore versions of log4j shipped with Red Hat Enterprise Linux are NOT affected by this flaw.\n\nFor Elasticsearch, as shipped in OpenShift Container Platform and OpenShift Logging, access to the log4j2.properties configuration is limited only to the cluster administrators and exploitation requires cluster logging changes, what reduced the impact of this vulnerability significantly [0].\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-jan-6-5", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44832" }, { "category": "external", "summary": "RHBZ#2035951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44832", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3293", "url": "https://issues.apache.org/jira/browse/LOG4J2-3293" } ], "release_date": "2021-12-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "As per upstream:\n- In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java.\n- Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: remote code execution via JDBC Appender" }, { "cve": "CVE-2021-45046", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-12-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2032580" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)", "title": "Vulnerability summary" }, { "category": "other", "text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45046" }, { "category": "external", "summary": "RHBZ#2032580", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2021-44228", "url": "https://access.redhat.com/security/cve/CVE-2021-44228" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4", "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4" }, { "category": "external", "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "release_date": "2021-12-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "exploit_status", "date": "2023-05-01T00:00:00+00:00", "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)" }, { "cve": "CVE-2021-45105", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2021-12-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2034067" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Apache Log4j logging library 2.x. when the logging configuration uses a non-default Pattern Layout with a Context Lookup. Attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup and can cause Denial of Service.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Product Security has performed an analysis of this flaw and has classified the Attack Complexity(AC) as High because there are multiple factors involved which are beyond attacker\u0027s control:\n\n- The application has to use the logging configuration using a Context Map Lookup (for example, $${ctx:loginId}) which is a non-default Pattern Layout.\n- The application developer has to use the map org.apache.logging.log4j.ThreadContext in the application code and save at-least one key (for example, ThreadContext.put(\"loginId\", \"myId\");) in the ThreadContext map object.\n- Attackers must also know this saved key name in order to exploit this flaw.\n\nNote that saving keys in this map is a non-essential usage of log4j and just an optional feature provided. Refer to https://logging.apache.org/log4j/2.x/manual/lookups.html#ContextMapLookup to know more about the Context Map Lookup feature of Log4j.\n\nLog4j 1.x is not impacted by this vulnerability. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using ONLY the log4j-api JAR file without the log4j-core JAR file are NOT impacted by this vulnerability.\n\n\nDespite including a vulnerable version of Log4j 2.x, this vulnerability is not exploitable in Elasticsearch[0], as shipped in OpenShift Container Platform and OpenShift Logging. OpenShift 3.11 specifically does not contain any context lookups:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nThis vulnerability is therefore rated Low for Elasticsearch in OpenShift Container Platform and OpenShift Logging.\n\n[0] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#update-december-18-4", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-45105" }, { "category": "external", "summary": "RHBZ#2034067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-45105", "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105" }, { "category": "external", "summary": "https://issues.apache.org/jira/browse/LOG4J2-3230", "url": "https://issues.apache.org/jira/browse/LOG4J2-3230" }, { "category": "external", "summary": "https://logging.apache.org/log4j/2.x/security.html", "url": "https://logging.apache.org/log4j/2.x/security.html" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/19/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1" } ], "release_date": "2021-12-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "For Log4j 2 versions up to and including 2.16.0, this flaw can be mitigated by:\n- In PatternLayout in the Log4j logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) like %X{loginId}.\n- Otherwise, in the Log4j logging configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "EAP 7.4.4 release" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-04-11T13:00:49+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "EAP 7.4.4 release" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "EAP 7.4.4 release" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "EAP 7.4.4 release" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0436
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0436", "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0436.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update", "tracking": { "current_release_date": "2024-11-06T00:25:44+00:00", "generator": { "date": "2024-11-06T00:25:44+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0436", "initial_release_date": "2022-02-03T18:30:42+00:00", "revision_history": [ { "date": "2022-02-03T18:30:42+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-03T18:30:42+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:25:44+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7" } } }, { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.el8eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "product_id": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.2.2-1.Final_redhat_00002.1.el8eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" }, "product_reference": "eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:30:42+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:30:42+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:30:42+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-03T18:30:42+00:00", "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el7eap.src", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-log4j-jboss-logmanager-0:1.2.2-1.Final_redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0294
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Parfait is a Java performance monitoring library that collects metrics and exposes them through a variety of outputs. It provides APIs for extracting performance metrics from the JVM and other sources. It interfaces to Performance Co-Pilot (PCP) using the Memory Mapped Value (MMV) machinery for extremely lightweight instrumentation.\n\nSecurity Fix(es):\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0294", "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0294.json" } ], "title": "Red Hat Security Advisory: parfait:0.5 security update", "tracking": { "current_release_date": "2024-11-06T00:22:46+00:00", "generator": { "date": "2024-11-06T00:22:46+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0294", "initial_release_date": "2022-01-26T14:48:57+00:00", "revision_history": [ { "date": "2022-01-26T14:48:57+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-01-26T14:48:57+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:22:46+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product": { "name": "Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_e4s:8.1::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "parfait:0.5:8010020220124232535:d5701770", "product": { "name": "parfait:0.5:8010020220124232535:d5701770", "product_id": "parfait:0.5:8010020220124232535:d5701770", "product_identification_helper": { "purl": "pkg:rpmmod/redhat/parfait@0.5:8010020220124232535:d5701770" } } }, { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product": { "name": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_id": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=noarch" } } }, { "category": "product_version", "name": "parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product": { "name": "parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_id": "parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-examples@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=noarch" } } }, { "category": "product_version", "name": "parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_id": "parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait-javadoc@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=noarch" } } }, { "category": "product_version", "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_id": "pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/pcp-parfait-agent@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=noarch" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_id": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units-javadoc@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_id": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api-javadoc@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_id": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib-javadoc@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_id": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se-javadoc@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } }, { "category": "product_version", "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_id": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems-javadoc@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "product": { "name": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "product_id": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/parfait@0.5.4-4.module%2Bel8.1.0%2B14000%2Bdf5fdac7?arch=src" } } }, { "category": "product_version", "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_id": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/si-units@0.6.5-2.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_id": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/unit-api@1.0-5.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_id": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-lib@1.0.1-6.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_id": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-parent@1.0.3-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_id": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-se@1.0.4-3.module%2Bel8%2B2463%2B615f6896?arch=src" } } }, { "category": "product_version", "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_id": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/uom-systems@0.7-1.module%2Bel8%2B2463%2B615f6896?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, "product_reference": "parfait:0.5:8010020220124232535:d5701770", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch" }, "product_reference": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src" }, "product_reference": "parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch" }, "product_reference": "parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch" }, "product_reference": "parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch" }, "product_reference": "pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src" }, "product_reference": "si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch" }, "product_reference": "si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-0:1.0-5.module+el8+2463+615f6896.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src" }, "product_reference": "unit-api-0:1.0-5.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch" }, "product_reference": "unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src" }, "product_reference": "uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src" }, "product_reference": "uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src" }, "product_reference": "uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" }, { "category": "default_component_of", "full_product_name": { "name": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch as a component of parfait:0.5:8010020220124232535:d5701770 as a component of Red Hat Enterprise Linux AppStream E4S (v. 8.1)", "product_id": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" }, "product_reference": "uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch", "relates_to_product_reference": "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:48:57+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:48:57+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:48:57+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-01-26T14:48:57+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-examples-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:parfait-javadoc-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:pcp-parfait-agent-0:0.5.4-4.module+el8.1.0+14000+df5fdac7.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-0:0.6.5-2.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:si-units-javadoc-0:0.6.5-2.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-0:1.0-5.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:unit-api-javadoc-0:1.0-5.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-0:1.0.1-6.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-lib-javadoc-0:1.0.1-6.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-parent-0:1.0.3-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-0:1.0.4-3.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-se-javadoc-0:1.0.4-3.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.noarch", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-0:0.7-1.module+el8+2463+615f6896.src", "AppStream-8.1.0.Z.E4S:parfait:0.5:8010020220124232535:d5701770:uom-systems-javadoc-0:0.7-1.module+el8+2463+615f6896.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
rhsa-2022_0448
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "New Red Hat Single Sign-On 7.5.1 packages are now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.5.1 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* undertow: client side invocation timeout raised when calling over HTTP and\nHTTP2 (CVE-2021-3859)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSSink (CVE-2022-23302)\n\n* log4j: SQL injection in Log4j 1.x when application is configured to use\nJDBCAppender (CVE-2022-23305)\n\n* log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)\n\n* log4j: Remote code execution in Log4j 1.x when application is configured to\nuse JMSAppender (CVE-2021-4104)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2022:0448", "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/", "url": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.5/" }, { "category": "external", "summary": "2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "CIAM-1976", "url": "https://issues.redhat.com/browse/CIAM-1976" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0448.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update on RHEL 8", "tracking": { "current_release_date": "2024-11-06T00:25:59+00:00", "generator": { "date": "2024-11-06T00:25:59+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2022:0448", "initial_release_date": "2022-02-07T13:54:48+00:00", "revision_history": [ { "date": "2022-02-07T13:54:48+00:00", "number": "1", "summary": "Initial version" }, { "date": "2022-02-07T13:54:48+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T00:25:59+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Single Sign-On 7.5 for RHEL 8", "product": { "name": "Red Hat Single Sign-On 7.5 for RHEL 8", "product_id": "8Base-RHSSO-7.5", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el8" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "product": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el8sso?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product_id": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@15.0.4-1.redhat_00003.1.el8sso?arch=noarch" } } }, { "category": "product_version", "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product": { "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product_id": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@15.0.4-1.redhat_00003.1.el8sso?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 8", "product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch" }, "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "relates_to_product_reference": "8Base-RHSSO-7.5" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src as a component of Red Hat Single Sign-On 7.5 for RHEL 8", "product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src" }, "product_reference": "rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "relates_to_product_reference": "8Base-RHSSO-7.5" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.5 for RHEL 8", "product_id": "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" }, "product_reference": "rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "relates_to_product_reference": "8Base-RHSSO-7.5" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-3859", "cwe": { "id": "CWE-214", "name": "Invocation of Process Using Visible Sensitive Information" }, "discovery_date": "2021-09-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2010378" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "undertow: client side invocation timeout raised when calling over HTTP2", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-3859" }, { "category": "external", "summary": "RHBZ#2010378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3859", "url": "https://www.cve.org/CVERecord?id=CVE-2021-3859" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3859" } ], "release_date": "2022-02-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "undertow: client side invocation timeout raised when calling over HTTP2" }, { "cve": "CVE-2021-4104", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031667" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker\u0027s JNDI LDAP endpoint.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Based on the conditions to be exploitable (see details below), the risk is much lower than Log4j 2.x and Red Hat has assessed this to be Moderate severity. This flaw has been filed for Log4j 1.x, and the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228\n\nNote this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker\u0027s JNDI LDAP endpoint. \n\nIf the Log4j configuration is set TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Log4j 2.x, Log4j 1.x is vulnerable. However, the attack vector is reduced as it depends on having write access, which is not a standard configuration rather than untrusted user input. These are sufficient factors beyond the attacker\u0027s control.\n\nThe tomcat package shipped with Red Hat Enterprise Linux does not include log4j but it does include a default configuration for log4j, log4j.properties, which could be used with tomcat if users choose to install and configure the library. The JMSAppender is not enabled by default, and the permissions of the file can only be modified as root.\n\nRed Hat Virtualization ships log4j12-1.2.17, but it is used and configured in a way which makes this flaw not possible to exploit. Therefore impact is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "category": "external", "summary": "RHBZ#2031667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" }, { "category": "external", "summary": "RHSB-2021-009", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4104", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "category": "external", "summary": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301" }, { "category": "external", "summary": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2021/12/13/1", "url": "https://www.openwall.com/lists/oss-security/2021/12/13/1" } ], "release_date": "2021-12-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSAppender in the Log4j configuration if it is used\n- Remove the JMSAppender class from the classpath. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender" }, { "cve": "CVE-2022-23302", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041949" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this flaw ONLY affects applications which are specifically configured to use JMSSink, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSSink to the attacker\u0027s JNDI LDAP endpoint.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JMSSink is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23302" }, { "category": "external", "summary": "RHBZ#2041949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041949" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23302", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23302" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/3", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JMSSink in the Log4j configuration if it is used\n- Remove the JMSSink class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class\n```\n- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink" }, { "cve": "CVE-2022-23305", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041959" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender", "title": "Vulnerability summary" }, { "category": "other", "text": "Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization and OpenShift Container Platform in the OCP Metering stack (the Hive/Presto/Hadoop components) ship a vulnerable version of the log4j package, however JDBCAppender is not used. Therefore the impact of this vulnerability for these products is rated Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23305" }, { "category": "external", "summary": "RHBZ#2041959", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041959" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23305", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23305" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/4", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/4" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "workaround", "details": "These are the possible mitigations for this flaw for releases version 1.x:\n\n- Comment out or remove JDBCAppender in the Log4j configuration if it is used\n- Remove the JDBCAppender class from the server\u0027s jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/jdbc/JDBCAppender.class\n```", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender" }, { "cve": "CVE-2022-23307", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-01-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2041967" } ], "notes": [ { "category": "description", "text": "A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.", "title": "Vulnerability description" }, { "category": "summary", "text": "log4j: Unsafe deserialization flaw in Chainsaw log viewer", "title": "Vulnerability summary" }, { "category": "other", "text": "Chainsaw is a standalone graphical user interface for viewing log entries in log4j. This flaw may be bypassed by using other available means to access log entries.\n\nRed Hat Satellite bundles log4j-over-slf4j with Candlepin, however, product is not affected as it uses logback framework for logging.\n\nRed Hat Virtualization ships a vulnerable version of the log4j package, however chainsaw is not part of typical use cases. An attacker looking to exploit this would need to not only be able to generate a malicious log entry, but also have the necessary access and permissions to start chainsaw on the engine node. Therefore the impact of this vulnerability for Red Hat Virtualization is rated Low.\n\nSimilar to Red Hat Virtualization in OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of log4j package, however vulnerable chainsaw component is not used by default. Therefore the impact to OCP is reduced to Low.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23307" }, { "category": "external", "summary": "RHBZ#2041967", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2041967" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" }, { "category": "external", "summary": "https://www.openwall.com/lists/oss-security/2022/01/18/5", "url": "https://www.openwall.com/lists/oss-security/2022/01/18/5" } ], "release_date": "2022-01-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2022-02-07T13:54:48+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "workaround", "details": "These are the mitigations available for this flaw for log4j 1.x:\n- Avoid using Chainsaw to view logs, and instead use some other utility, especially if there is a log view available within the product itself.\n- Remove the Chainsaw classes from the log4j jar files. For example:\n```\nzip -q -d log4j-*.jar org/apache/log4j/chainsaw/*\n```\n(log4j jars may be nested in zip archives within product)", "product_ids": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.noarch", "8Base-RHSSO-7.5:rh-sso7-keycloak-0:15.0.4-1.redhat_00003.1.el8sso.src", "8Base-RHSSO-7.5:rh-sso7-keycloak-server-0:15.0.4-1.redhat_00003.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "log4j: Unsafe deserialization flaw in Chainsaw log viewer" } ] }
gsd-2021-4104
Vulnerability from gsd
{ "GSD": { "alias": "CVE-2021-4104", "description": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "id": "GSD-2021-4104", "references": [ "https://www.suse.com/security/cve/CVE-2021-4104.html", "https://access.redhat.com/errata/RHSA-2022:0661", "https://access.redhat.com/errata/RHSA-2022:0553", "https://access.redhat.com/errata/RHSA-2022:0527", "https://access.redhat.com/errata/RHSA-2022:0524", "https://access.redhat.com/errata/RHSA-2022:0507", "https://access.redhat.com/errata/RHSA-2022:0497", "https://access.redhat.com/errata/RHSA-2022:0475", "https://access.redhat.com/errata/RHSA-2022:0450", "https://access.redhat.com/errata/RHSA-2022:0449", "https://access.redhat.com/errata/RHSA-2022:0448", "https://access.redhat.com/errata/RHSA-2022:0447", "https://access.redhat.com/errata/RHSA-2022:0446", "https://access.redhat.com/errata/RHSA-2022:0445", "https://access.redhat.com/errata/RHSA-2022:0444", "https://access.redhat.com/errata/RHSA-2022:0438", "https://access.redhat.com/errata/RHSA-2022:0437", "https://access.redhat.com/errata/RHSA-2022:0436", "https://access.redhat.com/errata/RHSA-2022:0435", "https://access.redhat.com/errata/RHSA-2022:0430", "https://access.redhat.com/errata/RHSA-2022:0294", "https://access.redhat.com/errata/RHSA-2022:0291", "https://access.redhat.com/errata/RHSA-2022:0290", "https://access.redhat.com/errata/RHSA-2022:0289", "https://access.redhat.com/errata/RHSA-2021:5269", "https://access.redhat.com/errata/RHSA-2021:5206", "https://access.redhat.com/errata/RHSA-2021:5186", "https://access.redhat.com/errata/RHSA-2021:5184", "https://access.redhat.com/errata/RHSA-2021:5183", "https://access.redhat.com/errata/RHSA-2021:5148", "https://access.redhat.com/errata/RHSA-2021:5141", "https://access.redhat.com/errata/RHSA-2021:5107", "https://ubuntu.com/security/CVE-2021-4104", "https://access.redhat.com/errata/RHSA-2022:1296", "https://access.redhat.com/errata/RHSA-2022:1297", "https://access.redhat.com/errata/RHSA-2022:1299", "https://alas.aws.amazon.com/cve/html/CVE-2021-4104.html", "https://linux.oracle.com/cve/CVE-2021-4104.html", "https://access.redhat.com/errata/RHSA-2022:5458", "https://access.redhat.com/errata/RHSA-2022:5459", "https://access.redhat.com/errata/RHSA-2022:5460" ] }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2021-4104" ], "details": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "id": "GSD-2021-4104", "modified": "2023-12-13T01:23:11.557669Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2021-4104", "STATE": "PUBLIC", "TITLE": "Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache Log4j 1.x", "version": { "version_data": [ { "version_affected": "=", "version_name": "Apache Log4j 1.2", "version_value": "1.2.x" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": [ {} ], "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-502 Deserialization of Untrusted Data" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cve.org/CVERecord?id=CVE-2021-44228", "refsource": "MISC", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "name": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "refsource": "MISC", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "name": "https://access.redhat.com/security/cve/CVE-2021-4104", "refsource": "MISC", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "name": "VU#930724", "refsource": "CERT-VN", "url": "https://www.kb.cert.org/vuls/id/930724" }, { "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "name": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033", "refsource": "CONFIRM", "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033" }, { "name": "https://security.netapp.com/advisory/ntap-20211223-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20211223-0007/" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "name": "GLSA-202209-02", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202209-02" }, { "name": "GLSA-202310-16", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202310-16" }, { "name": "GLSA-202312-02", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202312-02" }, { "name": "GLSA-202312-04", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202312-04" } ] }, "source": { "discovery": "UNKNOWN" } }, "gitlab.com": { "advisories": [ { "affected_range": "[1.2,]", "affected_versions": "All versions starting from 1.2", "cvss_v2": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-1035", "CWE-502", "CWE-937" ], "date": "2022-10-05", "description": "JMSAppender in Log4j is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j when specifically configured to use JMSAppender, which is not the default. Apache Log4j reached end of life in August Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "fixed_versions": [], "identifier": "CVE-2021-4104", "identifiers": [ "CVE-2021-4104" ], "not_impacted": "", "package_slug": "maven/log4j/log4j", "pubdate": "2021-12-14", "solution": "Unfortunately, there is no solution available yet.", "title": "Deserialization of Untrusted Data", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "https://access.redhat.com/security/cve/CVE-2021-4104", "https://www.cve.org/CVERecord?id=CVE-2021-44228", "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "https://www.kb.cert.org/vuls/id/930724" ], "uuid": "6e19d375-181b-4524-9f73-93fb68cd0a8a" }, { "affected_range": "[1.2]", "affected_versions": "Version 1.2", "cvss_v2": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-1035", "CWE-502", "CWE-937" ], "date": "2022-10-05", "description": "JMSAppender in Log4j is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide `TopicBindingName` and `TopicConnectionFactoryBindingName` configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j when specifically configured to use JMSAppender, which is not the default. Apache Log4j reached end of life in August Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "fixed_versions": [ "2.17.0" ], "identifier": "CVE-2021-4104", "identifiers": [ "CVE-2021-4104" ], "not_impacted": "All versions before 1.2, all versions after 1.2", "package_slug": "maven/org.apache.logging.log4j/log4j-core", "pubdate": "2021-12-14", "solution": "Upgrade to version 2.17.0 or above.", "title": "Deserialization of Untrusted Data", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "https://access.redhat.com/security/cve/CVE-2021-4104", "https://www.cve.org/CVERecord?id=CVE-2021-44228", "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "https://www.kb.cert.org/vuls/id/930724" ], "uuid": "5f488a4a-b189-41f4-b7b6-c6406ddb0703" }, { "affected_range": "[1.2]", "affected_versions": "Version 1.2", "cvss_v2": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "cwe_ids": [ "CWE-1035", "CWE-502", "CWE-937" ], "date": "2022-10-05", "description": "JMSAppender in Log4j is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide `TopicBindingName` and `TopicConnectionFactoryBindingName` configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j when specifically configured to use JMSAppender, which is not the default. Apache Log4j reached end of life in August Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "fixed_versions": [], "identifier": "CVE-2021-4104", "identifiers": [ "CVE-2021-4104" ], "not_impacted": "", "package_slug": "maven/org.apache.logging.log4j/log4j", "pubdate": "2021-12-14", "solution": "Unfortunately, there is no solution available yet.", "title": "Deserialization of Untrusted Data", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", "https://access.redhat.com/security/cve/CVE-2021-4104", "https://www.cve.org/CVERecord?id=CVE-2021-44228", "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", "https://www.kb.cert.org/vuls/id/930724" ], "uuid": "ad844f7c-aeec-4b0a-82bb-e69477840649" } ] }, "nvd.nist.gov": { "cve": { "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:apache:log4j:1.2:*:*:*:*:*:*:*", "matchCriteriaId": "2954BDA9-F03D-44AC-A9EA-3E89036EEFA8", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:redhat:codeready_studio:12.0:*:*:*:*:*:*:*", "matchCriteriaId": "1BAF877F-B8D5-4313-AC5C-26BB82006B30", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*", "matchCriteriaId": "B87C8AD3-8878-4546-86C2-BF411876648C", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:integration_camel_quarkus:-:*:*:*:*:*:*:*", "matchCriteriaId": "F039C746-2001-4EE5-835F-49607A94F12B", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_a-mq:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "33C4404A-CFB7-4B47-9487-F998825C31CA", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_a-mq:7:*:*:*:*:*:*:*", "matchCriteriaId": "A58966CB-36AF-4E64-AB39-BE3A0753E155", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_a-mq_streaming:-:*:*:*:*:*:*:*", "matchCriteriaId": "8C7257E5-B4A7-4299-8FE1-A94121E47528", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "CD354E32-A8B0-484C-B4C6-9FBCD3430D2D", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_data_virtualization:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "5CDDAFDB-E67A-4795-B2C4-C2D31734ABC8", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B142ACCC-F7A9-4A3B-BE60-0D6691D5058D", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "88BF3B2C-B121-483A-AEF2-8082F6DA5310", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "A305F012-544E-4245-9D69-1C8CD37748B1", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_fuse_service_works:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "3B78438D-1321-4BF4-AEB1-DAF60D589530", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_operations_network:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "C077D692-150C-4AE9-8C0B-7A3EA5EB1100", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:jboss_web_server:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "54EB07A0-FB38-4F17-9C8D-DB629967F07B", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*", "matchCriteriaId": "A33441B3-B301-426C-A976-08CE5FE72EFB", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.6:*:*:*:*:*:*:*", "matchCriteriaId": "6B62E762-2878-455A-93C9-A5DB430D7BB5", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.7:*:*:*:*:*:*:*", "matchCriteriaId": "14CF53D2-B585-4EA5-8F18-21BC9ECBB4B6", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.8:*:*:*:*:*:*:*", "matchCriteriaId": "91B493F0-5542-49F7-AAAE-E6CA6E468D7B", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "20A6B40D-F991-4712-8E30-5FE008505CB7", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890", "vulnerable": true }, { "criteria": "cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*", "matchCriteriaId": "749804DA-4B27-492A-9ABA-6BB562A6B3AC", "vulnerable": true }, { "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", "vulnerable": true }, { "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true }, { "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:*:*:*:*:*:*:*", "matchCriteriaId": "A62E2A25-1AD7-4B4B-9D1B-F0DEA4550557", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:*:*:*:*:*:*:*", "matchCriteriaId": "0331158C-BBE0-42DB-8180-EB1FCD290567", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "B602F9E8-1580-436C-A26D-6E6F8121A583", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "77C3DD16-1D81-40E1-B312-50FBD275507C", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "81DAC8C0-D342-44B5-9432-6B88D389584F", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "E869C417-C0E6-4FC3-B406-45598A1D1906", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "DFEFE2C0-7B98-44F9-B3AD-D6EC607E90DA", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*", "matchCriteriaId": "C68536CA-C7E2-4228-A6B8-F0DB6A9D29EC", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*", "matchCriteriaId": "E1214FDF-357A-4BB9-BADE-50FB2BD16D10", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "B21E6EEF-2AB7-4E96-B092-1F49D11B4175", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_offline_mediation_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "28CDCE04-B074-4D7A-B6E4-48193458C9A0", "versionEndExcluding": "12.0.0.4.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "5933FEA2-B79E-4EE7-B821-54D676B45734", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "0D299528-8EF0-49AF-9BDE-4B6C6B1DA36C", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "17A91FD9-9F77-42D3-A4D9-48BC7568ADE1", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "A7637F8B-15F1-42E2-BE18-E1FF7C66587D", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "E43D793A-7756-4D58-A8ED-72DC4EC9CEA7", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "6ED0EE39-C080-4E75-AE0F-3859B57EF851", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "D26F3E23-F1A9-45E7-9E5F-0C0A24EE3783", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "6E8758C8-87D3-450A-878B-86CE8C9FC140", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "054B56E0-F11B-4939-B7E1-E722C67A041A", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "250A493C-E052-4978-ABBE-786DC8038448", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "2E2B771B-230A-4811-94D7-065C2722E428", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:fusion_middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "F17531CB-DE8A-4ACD-93A0-6A5A8481D51B", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:goldengate:-:*:*:*:*:*:*:*", "matchCriteriaId": "507E7AEE-C2FC-4EED-B0F7-5E41642C0BF7", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:healthcare_data_repository:8.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "66C673C4-A825-46C0-816B-103E1C058D03", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*", "matchCriteriaId": "E8E7FBA9-0FFF-4C86-B151-28C17A142E0B", "versionEndExcluding": "11.2.8.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:*", "matchCriteriaId": "55BBCD48-BCC6-4E19-A4CE-970E524B9FF4", "versionEndExcluding": "11.2.8.0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "1489DDA7-EDBE-404C-B48D-F0B52B741708", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "535BC19C-21A1-48E3-8CC0-B276BA5D494E", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "228DA523-4D6D-48C5-BDB0-DB1A60F23F8B", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0EBAC6D-D0CE-42A1-AEA0-2D50C8035747", "versionEndIncluding": "8.0.29", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:retail_allocation:14.1.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "51E83F05-B691-4450-BCA9-32209AEC4F6A", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:retail_allocation:15.0.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "288235F9-2F9E-469A-BE14-9089D0782875", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:retail_allocation:16.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "6672F9C1-DA04-47F1-B699-C171511ACE38", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:retail_allocation:19.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "11E57939-A543-44F7-942A-88690E39EABA", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "30501D23-5044-477A-8DC3-7610126AEFD7", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:stream_analytics:-:*:*:*:*:*:*:*", "matchCriteriaId": "0B45A731-11D1-433B-B202-9C8D67C609F9", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:timesten_grid:-:*:*:*:*:*:*:*", "matchCriteriaId": "900D9DBF-8071-4CE5-A67A-9E0C00D04B87", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "EB7D0A30-3986-49AB-B7F3-DAE0024504BA", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "A3ED272C-A545-4F8C-86C0-2736B3F2DCAF", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "C5B4C338-11E1-4235-9D5A-960B2711AC39", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "8C93F84E-9680-44EF-8656-D27440B51698", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "F14A818F-AA16-4438-A3E4-E64C9287AC66", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "04BCDC24-4A21-473C-8733-0D9CFB38A752", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions." }, { "lang": "es", "value": "JMSAppender en Log4j versi\u00f3n 1.2 es vulnerable a una deserializaci\u00f3n de datos no confiables cuando el atacante presenta acceso de escritura a la configuraci\u00f3n de Log4j. El atacante puede proporcionar configuraciones TopicBindingName y TopicConnectionFactoryBindingName haciendo que JMSAppender realice peticiones JNDI que resulten en la ejecuci\u00f3n de c\u00f3digo remota de forma similar a CVE-2021-44228. Tenga en cuenta que este problema s\u00f3lo afecta a Log4j versi\u00f3n 1.2 cuando es configurado espec\u00edficamente para usar JMSAppender, que no es el predeterminado. Apache Log4j versi\u00f3n 1.2 lleg\u00f3 al final de su vida \u00fatil en agosto de 2015. Los usuarios deber\u00edan actualizar a Log4j 2 ya que aborda otros numerosos problemas de las versiones anteriores" } ], "id": "CVE-2021-4104", "lastModified": "2023-12-22T09:15:36.510", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0" }, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2021-12-14T12:15:12.200", "references": [ { "source": "security@apache.org", "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3" }, { "source": "security@apache.org", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "source": "security@apache.org", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "source": "security@apache.org", "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033" }, { "source": "security@apache.org", "url": "https://security.gentoo.org/glsa/202209-02" }, { "source": "security@apache.org", "url": "https://security.gentoo.org/glsa/202310-16" }, { "source": "security@apache.org", "url": "https://security.gentoo.org/glsa/202312-02" }, { "source": "security@apache.org", "url": "https://security.gentoo.org/glsa/202312-04" }, { "source": "security@apache.org", "url": "https://security.netapp.com/advisory/ntap-20211223-0007/" }, { "source": "security@apache.org", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "source": "security@apache.org", "url": "https://www.kb.cert.org/vuls/id/930724" }, { "source": "security@apache.org", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "source": "security@apache.org", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "source": "security@apache.org", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-502" } ], "source": "nvd@nist.gov", "type": "Primary" }, { "description": [ { "lang": "en", "value": "CWE-502" } ], "source": "security@apache.org", "type": "Secondary" } ] } } } }
wid-sec-w-2024-0107
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Communications Applications umfasst eine Sammlung von Werkzeugen zur Verwaltung von Messaging-, Kommunikationsdiensten und -ressourcen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications Applications ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-0107 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0107.json" }, { "category": "self", "summary": "WID-SEC-2024-0107 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0107" }, { "category": "external", "summary": "Oracle Critical Patch Update Advisory - January 2024 - Appendix Oracle Communications Applications vom 2024-01-16", "url": "https://www.oracle.com/security-alerts/cpujan2024.html#AppendixCAGBU" } ], "source_lang": "en-US", "title": "Oracle Communications Applications: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-01-16T23:00:00.000+00:00", "generator": { "date": "2024-02-15T17:56:42.860+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2024-0107", "initial_release_date": "2024-01-16T23:00:00.000+00:00", "revision_history": [ { "date": "2024-01-16T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Oracle Communications Applications 7.4.0", "product": { "name": "Oracle Communications Applications 7.4.0", "product_id": "T018938", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4.1", "product": { "name": "Oracle Communications Applications 7.4.1", "product_id": "T018939", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.1" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4.2", "product": { "name": "Oracle Communications Applications 7.4.2", "product_id": "T018940", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.2" } } }, { "category": "product_name", "name": "Oracle Communications Applications 6.0.1.0.0", "product": { "name": "Oracle Communications Applications 6.0.1.0.0", "product_id": "T021634", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:6.0.1.0.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.5.0", "product": { "name": "Oracle Communications Applications 7.5.0", "product_id": "T021639", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.5.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4", "product": { "name": "Oracle Communications Applications 7.4", "product_id": "T022811", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 12.0.6.0.0", "product": { "name": "Oracle Communications Applications \u003c= 12.0.6.0.0", "product_id": "T027325", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:12.0.6.0.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 12.0.0.8.0", "product": { "name": "Oracle Communications Applications \u003c= 12.0.0.8.0", "product_id": "T028669", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:12.0.0.8.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 3.0.3.2", "product": { "name": "Oracle Communications Applications 3.0.3.2", "product_id": "T028670", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:3.0.3.2" } } }, { "category": "product_name", "name": "Oracle Communications Applications 10.0.1.7.0", "product": { "name": "Oracle Communications Applications 10.0.1.7.0", "product_id": "T028674", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:10.0.1.7.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4.0.7.0", "product": { "name": "Oracle Communications Applications 7.4.0.7.0", "product_id": "T028676", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.0.7.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4.1.5.0", "product": { "name": "Oracle Communications Applications 7.4.1.5.0", "product_id": "T028677", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.1.5.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 7.4.2.8.0", "product": { "name": "Oracle Communications Applications 7.4.2.8.0", "product_id": "T028678", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:7.4.2.8.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 6.3.1.0.0", "product": { "name": "Oracle Communications Applications 6.3.1.0.0", "product_id": "T030578", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:6.3.1.0.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 12.0.0.8", "product": { "name": "Oracle Communications Applications \u003c= 12.0.0.8", "product_id": "T030579", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:12.0.0.8" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 6.0.3", "product": { "name": "Oracle Communications Applications \u003c= 6.0.3", "product_id": "T030581", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:6.0.3" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 12.0.0.7", "product": { "name": "Oracle Communications Applications \u003c= 12.0.0.7", "product_id": "T032083", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:12.0.0.7" } } }, { "category": "product_name", "name": "Oracle Communications Applications 15.0.0.0.0", "product": { "name": "Oracle Communications Applications 15.0.0.0.0", "product_id": "T032084", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:15.0.0.0.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications 3.0.3.3", "product": { "name": "Oracle Communications Applications 3.0.3.3", "product_id": "T032085", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:3.0.3.3" } } }, { "category": "product_name", "name": "Oracle Communications Applications 8.1.0.24.0", "product": { "name": "Oracle Communications Applications 8.1.0.24.0", "product_id": "T032086", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:8.1.0.24.0" } } }, { "category": "product_name", "name": "Oracle Communications Applications \u003c= 5.5.19", "product": { "name": "Oracle Communications Applications \u003c= 5.5.19", "product_id": "T032087", "product_identification_helper": { "cpe": "cpe:/a:oracle:communications_applications:5.5.19" } } } ], "category": "product_name", "name": "Communications Applications" } ], "category": "vendor", "name": "Oracle" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-5072", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2023-5072" }, { "cve": "CVE-2023-45648", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2023-45648" }, { "cve": "CVE-2023-44981", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2023-44981" }, { "cve": "CVE-2023-44487", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2023-44487" }, { "cve": "CVE-2023-44483", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2023-44483" }, { "cve": "CVE-2023-42794", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2023-42794" }, { "cve": "CVE-2023-42503", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2023-42503" }, { "cve": "CVE-2023-37536", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2023-37536" }, { "cve": "CVE-2023-34981", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2023-34981" }, { "cve": "CVE-2023-34034", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2023-34034" }, { "cve": "CVE-2023-33201", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2023-33201" }, { "cve": "CVE-2023-31122", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2023-31122" }, { "cve": "CVE-2023-2976", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2023-2976" }, { "cve": "CVE-2023-28823", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2023-28823" }, { "cve": "CVE-2023-25194", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2023-25194" }, { "cve": "CVE-2023-20883", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2023-20883" }, { "cve": "CVE-2022-45868", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2022-45868" }, { "cve": "CVE-2022-42920", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2022-42920" }, { "cve": "CVE-2022-36944", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2022-36944" }, { "cve": "CVE-2022-31160", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2022-31160" }, { "cve": "CVE-2022-31147", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2022-31147" }, { "cve": "CVE-2022-1471", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2022-1471" }, { "cve": "CVE-2021-4104", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2021-4104" }, { "cve": "CVE-2021-37533", "notes": [ { "category": "description", "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T028670", "T030578", "T032085", "T032086", "T021639", "T032084", "T022811", "T018940", "T021634", "T028677", "T018938", "T028678", "T018939", "T028676", "T028674" ], "last_affected": [ "T030579", "T028669", "T032083", "T027325", "T030581", "T032087" ] }, "release_date": "2024-01-16T23:00:00Z", "title": "CVE-2021-37533" } ] }
wid-sec-w-2022-0520
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "mittel" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Apache log4j ist ein Framework zum Loggen von Anwendungsmeldungen in Java.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Apache log4j ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Appliance\n- Juniper Appliance\n- Linux\n- Sonstiges\n- UNIX\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2022-0520 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2022-0520.json" }, { "category": "self", "summary": "WID-SEC-2022-0520 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0520" }, { "category": "external", "summary": "NVD NIST vom 2021-12-15", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "category": "external", "summary": "IBM Security Advisory vom 2021-12-15", "url": "https://www.ibm.com/support/pages/node/6526432" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5148 vom 2021-12-15", "url": "https://access.redhat.com/errata/RHSA-2021:5148" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4096-1 vom 2021-12-15", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009911.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4097-1 vom 2021-12-15", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009912.html" }, { "category": "external", "summary": "Atlassian Security Advisory - Log4j", "url": "https://confluence.atlassian.com/security/multiple-products-security-advisory-log4j-vulnerable-to-remote-code-execution-cve-2021-44228-1103069934.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5186 vom 2021-12-17", "url": "https://access.redhat.com/errata/RHSA-2021:5186" }, { "category": "external", "summary": "IBM Security Bulletin 6527226 vom 2021-12-17", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-some-features-of-ibm-db2-on-openshift-and-ibm-db2-and-db2-warehouse-on-cloud-pak-for-data-cve-2021-44228/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5183 vom 2021-12-17", "url": "https://access.redhat.com/errata/RHSA-2021:5183" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5184 vom 2021-12-17", "url": "https://access.redhat.com/errata/RHSA-2021:5184" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5141 vom 2021-12-16", "url": "https://access.redhat.com/errata/RHSA-2021:5141" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5107 vom 2021-12-16", "url": "https://access.redhat.com/errata/RHSA-2021:5107" }, { "category": "external", "summary": "Log4j Vulnerabilities Impact On Oracle E-Business Suite Analysis", "url": "https://www.integrigy.com/security-resources/log4j-vulnerabilities-impact-oracle-e-business-suite-analysis" }, { "category": "external", "summary": "Atos Security Advisory Report - OBSO-2112-01", "url": "https://networks.unify.com/security/advisories/OBSO-2112-01.pdf" }, { "category": "external", "summary": "HCL Article KB0095587 vom 2021-12-17", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0095587" }, { "category": "external", "summary": "IBM Security Bulletin 6527952 vom 2021-12-18", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-log4shell-vulnerability-affects-ibm-spss-statistics-cve-2021-4104/" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4112-1 vom 2021-12-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009916.html" }, { "category": "external", "summary": "IBM Security Bulletin 6527834 vom 2021-12-18", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-cve-2021-4104-affects-infosphere-data-replication/" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4115-1 vom 2021-12-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009918.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4111-1 vom 2021-12-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009917.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:14866-1 vom 2021-12-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009915.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5206 vom 2021-12-20", "url": "https://access.redhat.com/errata/RHSA-2021:5206" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2021-5206 vom 2021-12-21", "url": "https://linux.oracle.com/errata/ELSA-2021-5206.html" }, { "category": "external", "summary": "IBM Security Bulletin 6528678 vom 2021-12-22", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-some-features-of-ibm-db2-cve-2021-4104/" }, { "category": "external", "summary": "IBM Security Bulletin 6529056 vom 2021-12-22", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affect-ibm-app-connect-enterprise-v11-v12-and-ibm-integration-bus-cve-2021-4104/" }, { "category": "external", "summary": "CentOS Security Advisory CESA-2021:5206 vom 2021-12-21", "url": "https://lists.centos.org/pipermail/centos-announce/2021-December/060975.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4160-1 vom 2021-12-22", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009934.html" }, { "category": "external", "summary": "IBM Security Bulletin 6536868 vom 2021-12-23", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-have-been-identified-in-apache-log4j-shipped-with-ibm-tivoli-netcool-omnibus-common-integration-libraries-cve-2021-4104-cve-2021-45046-cve-2021-44228/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2021:5269 vom 2021-12-23", "url": "https://access.redhat.com/errata/RHSA-2021:5269" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2021:4190-1 vom 2021-12-24", "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-December/009943.html" }, { "category": "external", "summary": "EMC Security Advisory DSA-2021-274 vom 2022-01-09", "url": "https://www.dell.com/support/kbdoc/de-de/000194503/dsa-2021-274-dell-emc-data-domain-security-update-for-apache-log4j-remote-code-execution-vulnerability-cve-2021-44228" }, { "category": "external", "summary": "HPE Security Bulletin HPESBGN04215 rev.10 vom 2022-01-08", "url": "https://support.hpe.com/hpesc/public/docDisplay?elq_mid=17739\u0026elq_cid=67018031\u0026docId=hpesbgn04215en_us" }, { "category": "external", "summary": "IBM Security Bulletin 6539408 vom 2022-01-11", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-apache-log4j-affect-the-ibm-websphere-application-server-and-ibm-security-guardium-key-lifecycle-manager-cve-2021-4104-cve-2021-45046-cve-2021-45105/" }, { "category": "external", "summary": "Juniper Security Bulletin JSA11287 vom 2022-01-12", "url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11287\u0026cat=SIRT_1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-5223-1 vom 2022-01-13", "url": "https://ubuntu.com/security/notices/USN-5223-1" }, { "category": "external", "summary": "IBM Security Bulletin 6540892 vom 2022-01-15", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-some-features-of-ibm-spss-analytic-server-cve-2021-4104/" }, { "category": "external", "summary": "Unify Security Advisory Report OBSO-2201-01 vom 2022-01-18", "url": "https://networks.unify.com/security/advisories/OBSO-2201-01.pdf" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS-2022-1562 vom 2022-01-20", "url": "https://alas.aws.amazon.com/ALAS-2022-1562.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0126-1 vom 2022-01-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-January/010026.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0133-1 vom 2022-01-20", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-January/010032.html" }, { "category": "external", "summary": "IBM Security Bulletin 6550448 vom 2022-01-25", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-data-studio-client-cve-2021-4104/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0291 vom 2022-01-26", "url": "https://access.redhat.com/errata/RHSA-2022:0291" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0289 vom 2022-01-26", "url": "https://access.redhat.com/errata/RHSA-2022:0289" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0294 vom 2022-01-26", "url": "https://access.redhat.com/errata/RHSA-2022:0294" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2022-9056 vom 2022-01-26", "url": "https://linux.oracle.com/errata/ELSA-2022-9056.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0290 vom 2022-01-26", "url": "https://access.redhat.com/errata/RHSA-2022:0290" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2022-0290 vom 2022-01-27", "url": "http://linux.oracle.com/errata/ELSA-2022-0290.html" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS-2022-1739 vom 2022-01-27", "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1739.html" }, { "category": "external", "summary": "IBM Security Bulletin 6551880 vom 2022-01-29", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-spectrum-scale-cve-2021-4104/" }, { "category": "external", "summary": "Debian Security Advisory DLA-2905 vom 2022-01-31", "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00033.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0436 vom 2022-02-04", "url": "https://access.redhat.com/errata/RHSA-2022:0436" }, { "category": "external", "summary": "IBM Security Bulletin 6553622 vom 2022-02-04", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-server-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-44228-3/" }, { "category": "external", "summary": "IBM Security Bulletin 6553626 vom 2022-02-04", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-cve-2021-44228-in-ibm-informix-dynamic-server-in-cloud-pak-for-data-2/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0438 vom 2022-02-04", "url": "https://access.redhat.com/errata/RHSA-2022:0438" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0430 vom 2022-02-03", "url": "https://access.redhat.com/errata/RHSA-2022:0430" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0435 vom 2022-02-04", "url": "https://access.redhat.com/errata/RHSA-2022:0435" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0437 vom 2022-02-04", "url": "https://access.redhat.com/errata/RHSA-2022:0437" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0450 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0450" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0445 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0445" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0448 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0448" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0449 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0449" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0446 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0446" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0447 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0447" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0444 vom 2022-02-08", "url": "https://access.redhat.com/errata/RHSA-2022:0444" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0475 vom 2022-02-09", "url": "https://access.redhat.com/errata/RHSA-2022:0475" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0497 vom 2022-02-09", "url": "https://access.redhat.com/errata/RHSA-2022:0497" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0354-1 vom 2022-02-09", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-February/010195.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2022:0355-1 vom 2022-02-09", "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-February/010196.html" }, { "category": "external", "summary": "HCL Article KB0097471 vom 2022-05-18", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097471" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0507 vom 2022-02-10", "url": "https://access.redhat.com/errata/RHSA-2022:0507" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0527 vom 2022-02-14", "url": "https://access.redhat.com/errata/RHSA-2022:0527" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0524 vom 2022-02-14", "url": "https://access.redhat.com/errata/RHSA-2022:0524" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0553 vom 2022-02-15", "url": "https://access.redhat.com/errata/RHSA-2022:0553" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:0661 vom 2022-02-23", "url": "https://access.redhat.com/errata/RHSA-2022:0661" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2022-9419 vom 2022-05-23", "url": "https://linux.oracle.com/errata/ELSA-2022-9419.html" }, { "category": "external", "summary": "IBM Security Bulletin 6563561 vom 2022-03-16", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104/" }, { "category": "external", "summary": "IBM Security Bulletin 6565387 vom 2022-03-23", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-websphere-service-registry-and-repository-cve-2021-4104/" }, { "category": "external", "summary": "HCL Article KB0097470 vom 2022-03-25", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097470" }, { "category": "external", "summary": "HCL Article KB0096807 vom 2022-03-29", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0096807" }, { "category": "external", "summary": "IBM Security Bulletin", "url": "https://www.ibm.com/support/pages/node/6569189" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:1296 vom 2022-04-11", "url": "https://access.redhat.com/errata/RHSA-2022:1296" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:1297 vom 2022-04-11", "url": "https://access.redhat.com/errata/RHSA-2022:1297" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:1299 vom 2022-04-11", "url": "https://access.redhat.com/errata/RHSA-2022:1299" }, { "category": "external", "summary": "HCL Article KB0097639 vom 2022-04-23", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097639" }, { "category": "external", "summary": "HCL Article KB0097650 vom 2022-04-23", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097650" }, { "category": "external", "summary": "AVAYA Security Advisory ASA-2022-022 vom 2022-04-25", "url": "https://downloads.avaya.com/css/P8/documents/101081577" }, { "category": "external", "summary": "HCL Article KB0097787 vom 2022-04-28", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097787" }, { "category": "external", "summary": "IBM Security Bulletin 6575541 vom 2022-04-28", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-may-be-affected-by-vulnerabilities-in-apache-log4j-1-x-version/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:5460 vom 2022-07-01", "url": "https://access.redhat.com/errata/RHSA-2022:5460" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:5458 vom 2022-07-01", "url": "https://access.redhat.com/errata/RHSA-2022:5458" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2022:5459 vom 2022-07-01", "url": "https://access.redhat.com/errata/RHSA-2022:5459" }, { "category": "external", "summary": "HCL Article KB0099671 vom 2022-07-24", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099671" }, { "category": "external", "summary": "HCL Article KB0099128 vom 2022-07-24", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099128" }, { "category": "external", "summary": "HCL Article KB0099131 vom 2022-07-24", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099131" }, { "category": "external", "summary": "HCL Article KB0099667 vom 2022-08-13", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099667" }, { "category": "external", "summary": "HCL Article KB0099669 vom 2022-08-13", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099669" }, { "category": "external", "summary": "HCL Article KB0100505 vom 2022-09-21", "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0100505" }, { "category": "external", "summary": "IBM Security Bulletin 6829357 vom 2022-10-15", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-may-be-affected-by-vulnerabilities-in-apache-log4j-1-x-version-2/" }, { "category": "external", "summary": "IBM Security Bulletin 6831267 vom 2022-10-22", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-manager-is-affected-by-log4j-vulnerability-cve-2021-4104/" }, { "category": "external", "summary": "IBM Security Bulletin 6832160 vom 2022-10-27", "url": "https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4j-ibm-qradar-siem-is-vulnerable-to-arbitrary-code-execution-cve-2019-17571-cve-2021-44832-cve-2021-4104/" }, { "category": "external", "summary": "IBM Security Bulletin 7009621 vom 2023-07-25", "url": "https://www.ibm.com/support/pages/node/7014395" }, { "category": "external", "summary": "Gentoo Linux Security Advisory GLSA-202312-04 vom 2023-12-22", "url": "https://www.cybersecurity-help.cz/vdb/SB2023122213" }, { "category": "external", "summary": "Gentoo Linux Security Advisory GLSA-202312-04 vom 2023-12-22", "url": "https://security.gentoo.org/glsa/202312-04" }, { "category": "external", "summary": "IBM Security Bulletin vom 2023-10-27", "url": "https://www.ibm.com/support/pages/node/7060803" }, { "category": "external", "summary": "IBM Security Bulletin 7152257 vom 2024-05-15", "url": "https://www.ibm.com/support/pages/node/7152257" } ], "source_lang": "en-US", "title": "Apache log4j: Schwachstelle erm\u00f6glicht Ausf\u00fchren von beliebigem Programmcode", "tracking": { "current_release_date": "2024-05-14T22:00:00.000+00:00", "generator": { "date": "2024-05-15T09:34:34.640+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2022-0520", "initial_release_date": "2021-12-15T23:00:00.000+00:00", "revision_history": [ { "date": "2021-12-15T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2021-12-16T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Atlassian, Red Hat, Unify und IBM aufgenommen" }, { "date": "2021-12-19T23:00:00.000+00:00", "number": "3", "summary": "Neue Updates von HCL, IBM und SUSE aufgenommen" }, { "date": "2021-12-20T23:00:00.000+00:00", "number": "4", "summary": "Neue Updates von Red Hat und Oracle Linux aufgenommen" }, { "date": "2021-12-21T23:00:00.000+00:00", "number": "5", "summary": "Neue Updates von IBM und CentOS aufgenommen" }, { "date": "2021-12-22T23:00:00.000+00:00", "number": "6", "summary": "Neue Updates von SUSE, IBM und Red Hat aufgenommen" }, { "date": "2021-12-26T23:00:00.000+00:00", "number": "7", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-01-09T23:00:00.000+00:00", "number": "8", "summary": "Neue Updates von EMC und HP aufgenommen" }, { "date": "2022-01-10T23:00:00.000+00:00", "number": "9", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-12T23:00:00.000+00:00", "number": "10", "summary": "Neue Updates von Juniper aufgenommen" }, { "date": "2022-01-13T23:00:00.000+00:00", "number": "11", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2022-01-16T23:00:00.000+00:00", "number": "12", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-18T23:00:00.000+00:00", "number": "13", "summary": "Neue Updates von Unify aufgenommen" }, { "date": "2022-01-19T23:00:00.000+00:00", "number": "14", "summary": "Neue Updates von Amazon und SUSE aufgenommen" }, { "date": "2022-01-20T23:00:00.000+00:00", "number": "15", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2022-01-24T23:00:00.000+00:00", "number": "16", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-26T23:00:00.000+00:00", "number": "17", "summary": "Neue Updates von Red Hat und Oracle Linux aufgenommen" }, { "date": "2022-01-27T23:00:00.000+00:00", "number": "18", "summary": "Neue Updates von Oracle Linux und Amazon aufgenommen" }, { "date": "2022-01-30T23:00:00.000+00:00", "number": "19", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-01-31T23:00:00.000+00:00", "number": "20", "summary": "Neue Updates von Debian aufgenommen" }, { "date": "2022-02-03T23:00:00.000+00:00", "number": "21", "summary": "Neue Updates von Red Hat und IBM aufgenommen" }, { "date": "2022-02-07T23:00:00.000+00:00", "number": "22", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-08T23:00:00.000+00:00", "number": "23", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-09T23:00:00.000+00:00", "number": "24", "summary": "Neue Updates von Red Hat und SUSE aufgenommen" }, { "date": "2022-02-10T23:00:00.000+00:00", "number": "25", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-14T23:00:00.000+00:00", "number": "26", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-15T23:00:00.000+00:00", "number": "27", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-02-23T23:00:00.000+00:00", "number": "28", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-03-15T23:00:00.000+00:00", "number": "29", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-03-22T23:00:00.000+00:00", "number": "30", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-03-24T23:00:00.000+00:00", "number": "31", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-03-29T22:00:00.000+00:00", "number": "32", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-04-04T22:00:00.000+00:00", "number": "33", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-04-11T22:00:00.000+00:00", "number": "34", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-04-24T22:00:00.000+00:00", "number": "35", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-04-26T22:00:00.000+00:00", "number": "36", "summary": "Neue Updates von AVAYA aufgenommen" }, { "date": "2022-04-27T22:00:00.000+00:00", "number": "37", "summary": "Neue Updates von HCL und IBM aufgenommen" }, { "date": "2022-05-17T22:00:00.000+00:00", "number": "38", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-05-23T22:00:00.000+00:00", "number": "39", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2022-06-30T22:00:00.000+00:00", "number": "40", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2022-07-24T22:00:00.000+00:00", "number": "41", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-08-14T22:00:00.000+00:00", "number": "42", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-09-20T22:00:00.000+00:00", "number": "43", "summary": "Neue Updates von HCL aufgenommen" }, { "date": "2022-10-16T22:00:00.000+00:00", "number": "44", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-10-23T22:00:00.000+00:00", "number": "45", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2022-10-26T22:00:00.000+00:00", "number": "46", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2023-07-24T22:00:00.000+00:00", "number": "47", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2023-10-29T23:00:00.000+00:00", "number": "48", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2023-12-21T23:00:00.000+00:00", "number": "49", "summary": "Neue Updates von Gentoo aufgenommen" }, { "date": "2024-05-14T22:00:00.000+00:00", "number": "50", "summary": "Neue Updates von IBM aufgenommen" } ], "status": "final", "version": "50" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Amazon Linux 2", "product": { "name": "Amazon Linux 2", "product_id": "398363", "product_identification_helper": { "cpe": "cpe:/o:amazon:linux_2:-" } } } ], "category": "vendor", "name": "Amazon" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "1.2", "product": { "name": "Apache log4j 1.2", "product_id": "T021343", "product_identification_helper": { "cpe": "cpe:/a:apache:log4j:1.2" } } }, { "category": "product_version_range", "name": "\u003c2", "product": { "name": "Apache log4j \u003c2", "product_id": "T021344", "product_identification_helper": { "cpe": "cpe:/a:apache:log4j:2" } } } ], "category": "product_name", "name": "log4j" } ], "category": "vendor", "name": "Apache" }, { "branches": [ { "category": "product_name", "name": "Atlassian Bitbucket", "product": { "name": "Atlassian Bitbucket", "product_id": "T021356", "product_identification_helper": { "cpe": "cpe:/a:atlassian:bitbucket:-" } } } ], "category": "vendor", "name": "Atlassian" }, { "branches": [ { "category": "product_name", "name": "Avaya Aura Application Enablement Services", "product": { "name": "Avaya Aura Application Enablement Services", "product_id": "T015516", "product_identification_helper": { "cpe": "cpe:/a:avaya:aura_application_enablement_services:-" } } }, { "category": "product_name", "name": "Avaya Aura Communication Manager", "product": { "name": "Avaya Aura Communication Manager", "product_id": "T015126", "product_identification_helper": { "cpe": "cpe:/a:avaya:communication_manager:-" } } }, { "category": "product_name", "name": "Avaya Aura Experience Portal", "product": { "name": "Avaya Aura Experience Portal", "product_id": "T015519", "product_identification_helper": { "cpe": "cpe:/a:avaya:aura_experience_portal:-" } } }, { "category": "product_name", "name": "Avaya Aura Session Manager", "product": { "name": "Avaya Aura Session Manager", "product_id": "T015127", "product_identification_helper": { "cpe": "cpe:/a:avaya:session_manager:-" } } }, { "category": "product_name", "name": "Avaya Aura System Manager", "product": { "name": "Avaya Aura System Manager", "product_id": "T015518", "product_identification_helper": { "cpe": "cpe:/a:avaya:aura_system_manager:-" } } }, { "category": "product_name", "name": "Avaya Web License Manager", "product": { "name": "Avaya Web License Manager", "product_id": "T016243", "product_identification_helper": { "cpe": "cpe:/a:avaya:web_license_manager:-" } } }, { "category": "product_name", "name": "Avaya one-X", "product": { "name": "Avaya one-X", "product_id": "1024", "product_identification_helper": { "cpe": "cpe:/a:avaya:one-x:-" } } } ], "category": "vendor", "name": "Avaya" }, { "branches": [ { "category": "product_name", "name": "Debian Linux", "product": { "name": "Debian Linux", "product_id": "2951", "product_identification_helper": { "cpe": "cpe:/o:debian:debian_linux:-" } } } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "category": "product_name", "name": "EMC Data Domain", "product": { "name": "EMC Data Domain", "product_id": "T021496", "product_identification_helper": { "cpe": "cpe:/o:emc:data_domain:-" } } }, { "category": "product_name", "name": "EMC Data Domain OS", "product": { "name": "EMC Data Domain OS", "product_id": "T006099", "product_identification_helper": { "cpe": "cpe:/o:emc:data_domain_os:-" } } } ], "category": "vendor", "name": "EMC" }, { "branches": [ { "category": "product_name", "name": "Gentoo Linux", "product": { "name": "Gentoo Linux", "product_id": "T012167", "product_identification_helper": { "cpe": "cpe:/o:gentoo:linux:-" } } } ], "category": "vendor", "name": "Gentoo" }, { "branches": [ { "category": "product_name", "name": "HCL Commerce", "product": { "name": "HCL Commerce", "product_id": "T019293", "product_identification_helper": { "cpe": "cpe:/a:hcltechsw:commerce:-" } } } ], "category": "vendor", "name": "HCL" }, { "branches": [ { "category": "product_name", "name": "IBM DB2", "product": { "name": "IBM DB2", "product_id": "5104", "product_identification_helper": { "cpe": "cpe:/a:ibm:db2:-" } } }, { "category": "product_name", "name": "IBM Data Studio", "product": { "name": "IBM Data Studio", "product_id": "T021807", "product_identification_helper": { "cpe": "cpe:/a:ibm:data_studio:-" } } }, { "category": "product_name", "name": "IBM InfoSphere Data Replication", "product": { "name": "IBM InfoSphere Data Replication", "product_id": "T021399", "product_identification_helper": { "cpe": "cpe:/a:ibm:infosphere_data_replication:-" } } }, { "branches": [ { "category": "product_version", "name": "11.7", "product": { "name": "IBM InfoSphere Information Server 11.7", "product_id": "444803", "product_identification_helper": { "cpe": "cpe:/a:ibm:infosphere_information_server:11.7" } } } ], "category": "product_name", "name": "InfoSphere Information Server" }, { "branches": [ { "category": "product_version", "name": "Dynamic Server", "product": { "name": "IBM Informix Dynamic Server", "product_id": "T021953", "product_identification_helper": { "cpe": "cpe:/a:ibm:informix:::dynamic_server" } } } ], "category": "product_name", "name": "Informix" }, { "category": "product_name", "name": "IBM Integration Bus", "product": { "name": "IBM Integration Bus", "product_id": "T011169", "product_identification_helper": { "cpe": "cpe:/a:ibm:integration_bus:-" } } }, { "branches": [ { "category": "product_version", "name": "7.6.1.2", "product": { "name": "IBM Maximo Asset Management 7.6.1.2", "product_id": "812526", "product_identification_helper": { "cpe": "cpe:/a:ibm:maximo_asset_management:7.6.1.2" } } } ], "category": "product_name", "name": "Maximo Asset Management" }, { "branches": [ { "category": "product_version", "name": "7.5", "product": { "name": "IBM QRadar SIEM 7.5", "product_id": "T022954", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.5" } } }, { "category": "product_version", "name": "7.5.0", "product": { "name": "IBM QRadar SIEM 7.5.0", "product_id": "T023574", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.5.0" } } }, { "category": "product_version", "name": "7.4", "product": { "name": "IBM QRadar SIEM 7.4", "product_id": "T024775", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:7.4" } } } ], "category": "product_name", "name": "QRadar SIEM" }, { "category": "product_name", "name": "IBM SPSS", "product": { "name": "IBM SPSS", "product_id": "T013570", "product_identification_helper": { "cpe": "cpe:/a:ibm:spss:-" } } }, { "category": "product_name", "name": "IBM Security Access Manager for Enterprise Single Sign-On", "product": { "name": "IBM Security Access Manager for Enterprise Single Sign-On", "product_id": "T006523", "product_identification_helper": { "cpe": "cpe:/a:ibm:security_access_manager_for_enterprise_single_sign_on:-" } } }, { "category": "product_name", "name": "IBM Security Guardium", "product": { "name": "IBM Security Guardium", "product_id": "T021345", "product_identification_helper": { "cpe": "cpe:/a:ibm:security_guardium:-" } } }, { "branches": [ { "category": "product_version", "name": "6.0.2", "product": { "name": "IBM Security Identity Manager 6.0.2", "product_id": "976243", "product_identification_helper": { "cpe": "cpe:/a:ibm:security_identity_manager:6.0.2" } } } ], "category": "product_name", "name": "Security Identity Manager" }, { "category": "product_name", "name": "IBM Spectrum Scale", "product": { "name": "IBM Spectrum Scale", "product_id": "T019402", "product_identification_helper": { "cpe": "cpe:/a:ibm:spectrum_scale:-" } } }, { "category": "product_name", "name": "IBM Tivoli Netcool/OMNIbus", "product": { "name": "IBM Tivoli Netcool/OMNIbus", "product_id": "T004181", "product_identification_helper": { "cpe": "cpe:/a:ibm:tivoli_netcool%2fomnibus:-" } } }, { "branches": [ { "category": "product_version", "name": "8.5.x", "product": { "name": "IBM WebSphere Service Registry and Repository 8.5.x", "product_id": "T022377", "product_identification_helper": { "cpe": "cpe:/a:ibm:websphere_service_registry_and_repository:8.5.x" } } } ], "category": "product_name", "name": "WebSphere Service Registry and Repository" } ], "category": "vendor", "name": "IBM" }, { "branches": [ { "category": "product_name", "name": "Juniper Junos Space", "product": { "name": "Juniper Junos Space", "product_id": "T003343", "product_identification_helper": { "cpe": "cpe:/a:juniper:junos_space:-" } } } ], "category": "vendor", "name": "Juniper" }, { "branches": [ { "category": "product_name", "name": "Open Source CentOS", "product": { "name": "Open Source CentOS", "product_id": "1727", "product_identification_helper": { "cpe": "cpe:/o:centos:centos:-" } } } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "category": "product_name", "name": "Oracle E-Business Suite", "product": { "name": "Oracle E-Business Suite", "product_id": "8311", "product_identification_helper": { "cpe": "cpe:/a:oracle:e-business_suite:-" } } }, { "category": "product_name", "name": "Oracle Linux", "product": { "name": "Oracle Linux", "product_id": "T004914", "product_identification_helper": { "cpe": "cpe:/o:oracle:linux:-" } } } ], "category": "vendor", "name": "Oracle" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "8", "product": { "name": "Red Hat Enterprise Linux 8", "product_id": "T014111", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:8" } } } ], "category": "product_name", "name": "Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "4", "product": { "name": "Red Hat OpenShift 4", "product_id": "T018720", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4" } } }, { "category": "product_version", "name": "4.8", "product": { "name": "Red Hat OpenShift 4.8", "product_id": "T020020", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:container_platform_4.8" } } } ], "category": "product_name", "name": "OpenShift" } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "category": "product_name", "name": "SUSE Linux", "product": { "name": "SUSE Linux", "product_id": "T002207", "product_identification_helper": { "cpe": "cpe:/o:suse:suse_linux:-" } } } ], "category": "vendor", "name": "SUSE" }, { "branches": [ { "category": "product_name", "name": "Ubuntu Linux", "product": { "name": "Ubuntu Linux", "product_id": "T000126", "product_identification_helper": { "cpe": "cpe:/o:canonical:ubuntu_linux:-" } } } ], "category": "vendor", "name": "Ubuntu" }, { "branches": [ { "category": "product_name", "name": "Unify OpenScape 4000", "product": { "name": "Unify OpenScape 4000", "product_id": "T018011", "product_identification_helper": { "cpe": "cpe:/h:unify:openscape_4000:-" } } }, { "category": "product_name", "name": "Unify OpenScape Branch", "product": { "name": "Unify OpenScape Branch", "product_id": "T018258", "product_identification_helper": { "cpe": "cpe:/h:unify:openscape_branch:-" } } }, { "category": "product_name", "name": "Unify OpenScape Contact Center", "product": { "name": "Unify OpenScape Contact Center", "product_id": "T008876", "product_identification_helper": { "cpe": "cpe:/a:unify:openscape_contact_center:-" } } }, { "category": "product_name", "name": "Unify OpenScape Deployment Service (DLS)", "product": { "name": "Unify OpenScape Deployment Service (DLS)", "product_id": "T015711", "product_identification_helper": { "cpe": "cpe:/a:unify:openscape_deployment_service:-" } } }, { "category": "product_name", "name": "Unify OpenScape Mediaserver", "product": { "name": "Unify OpenScape Mediaserver", "product_id": "T018253", "product_identification_helper": { "cpe": "cpe:/a:unify:openscape_mediaserver:-" } } }, { "category": "product_name", "name": "Unify OpenScape UC Application", "product": { "name": "Unify OpenScape UC Application", "product_id": "T015712", "product_identification_helper": { "cpe": "cpe:/a:unify:openscape_uc_application:-" } } }, { "category": "product_name", "name": "Unify OpenScape Voice", "product": { "name": "Unify OpenScape Voice", "product_id": "T008873", "product_identification_helper": { "cpe": "cpe:/a:unify:openscape_voice:-" } } }, { "category": "product_name", "name": "Unify OpenScape Xpert", "product": { "name": "Unify OpenScape Xpert", "product_id": "T018014", "product_identification_helper": { "cpe": "cpe:/h:unify:openscape_xpert:-" } } } ], "category": "vendor", "name": "Unify" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4104", "notes": [ { "category": "description", "text": "Es existiert eine Schwachstelle in Apache log4j aufgrund einer Deserialisierung von nicht vertrauensw\u00fcrdigen Daten, wenn der Angreifer Schreibzugriff auf die Log4j-Konfiguration hat und wenn die eingesetzte Anwendung f\u00fcr die Verwendung von JMSAppender konfiguriert ist. Ein entfernter authentisierter Angreifer mit bestimmten Rechten kann diese Schwachstelle ausnutzen, um beliebigen Code auf dem System auszuf\u00fchren." } ], "product_status": { "known_affected": [ "T008876", "T008873", "T003343", "T011169", "T015127", "T019293", "T015126", "T004914", "T014111", "T021807", "T018720", "812526", "398363", "T021496", "T006099", "T015519", "T015518", "T006523", "T015516", "T015712", "T015711", "T012167", "T018011", "T018253", "T013570", "T016243", "T018014", "T022954", "T018258", "T021345", "2951", "T002207", "1024", "444803", "5104", "T004181", "T024775", "T021343", "976243", "8311", "T021356", "T021399", "T021953", "T023574", "T020020", "T019402", "T000126", "T022377", "1727" ] }, "release_date": "2021-12-15T23:00:00Z", "title": "CVE-2021-4104" } ] }
wid-sec-w-2024-0794
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Dell ECS ist ein Objektspeichersystem.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer kann mehrere Schwachstellen in Dell ECS ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Linux\n- UNIX\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-0794 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0794.json" }, { "category": "self", "summary": "WID-SEC-2024-0794 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0794" }, { "category": "external", "summary": "Dell Security Advisory DSA-2024-141 vom 2024-04-04", "url": "https://www.dell.com/support/kbdoc/000223839/dsa-2024-=" } ], "source_lang": "en-US", "title": "Dell ECS: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-04-04T22:00:00.000+00:00", "generator": { "date": "2024-04-05T09:37:24.604+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2024-0794", "initial_release_date": "2024-04-04T22:00:00.000+00:00", "revision_history": [ { "date": "2024-04-04T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c 3.8.1.0", "product": { "name": "Dell ECS \u003c 3.8.1.0", "product_id": "T033919", "product_identification_helper": { "cpe": "cpe:/h:dell:ecs:3.8.1.0" } } } ], "category": "product_name", "name": "ECS" } ], "category": "vendor", "name": "Dell" } ] }, "vulnerabilities": [ { "cve": "CVE-2018-18074", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2018-18074" }, { "cve": "CVE-2020-10663", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-10663" }, { "cve": "CVE-2020-10672", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-10672" }, { "cve": "CVE-2020-10673", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-10673" }, { "cve": "CVE-2020-10735", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-10735" }, { "cve": "CVE-2020-10968", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-10968" }, { "cve": "CVE-2020-10969", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-10969" }, { "cve": "CVE-2020-11111", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-11111" }, { "cve": "CVE-2020-11112", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-11112" }, { "cve": "CVE-2020-11113", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-11113" }, { "cve": "CVE-2020-11612", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-11612" }, { "cve": "CVE-2020-11619", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-11619" }, { "cve": "CVE-2020-11620", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-11620" }, { "cve": "CVE-2020-11979", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-11979" }, { "cve": "CVE-2020-12762", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-12762" }, { "cve": "CVE-2020-12825", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-12825" }, { "cve": "CVE-2020-13956", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-13956" }, { "cve": "CVE-2020-14060", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-14060" }, { "cve": "CVE-2020-14061", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-14061" }, { "cve": "CVE-2020-14062", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-14062" }, { "cve": "CVE-2020-14195", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-14195" }, { "cve": "CVE-2020-15250", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-15250" }, { "cve": "CVE-2020-1945", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-1945" }, { "cve": "CVE-2020-1967", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-1967" }, { "cve": "CVE-2020-1971", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-1971" }, { "cve": "CVE-2020-24616", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-24616" }, { "cve": "CVE-2020-24750", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-24750" }, { "cve": "CVE-2020-25649", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-25649" }, { "cve": "CVE-2020-25658", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-25658" }, { "cve": "CVE-2020-26116", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-26116" }, { "cve": "CVE-2020-26137", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-26137" }, { "cve": "CVE-2020-26541", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-26541" }, { "cve": "CVE-2020-27216", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-27216" }, { "cve": "CVE-2020-27218", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-27218" }, { "cve": "CVE-2020-27223", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-27223" }, { "cve": "CVE-2020-28366", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-28366" }, { "cve": "CVE-2020-28493", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-28493" }, { "cve": "CVE-2020-29509", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-29509" }, { "cve": "CVE-2020-29511", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-29511" }, { "cve": "CVE-2020-29582", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-29582" }, { "cve": "CVE-2020-29651", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-29651" }, { "cve": "CVE-2020-35490", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-35490" }, { "cve": "CVE-2020-35491", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-35491" }, { "cve": "CVE-2020-35728", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-35728" }, { "cve": "CVE-2020-36179", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36179" }, { "cve": "CVE-2020-36180", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36180" }, { "cve": "CVE-2020-36181", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36181" }, { "cve": "CVE-2020-36182", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36182" }, { "cve": "CVE-2020-36183", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36183" }, { "cve": "CVE-2020-36184", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36184" }, { "cve": "CVE-2020-36185", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36185" }, { "cve": "CVE-2020-36186", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36186" }, { "cve": "CVE-2020-36187", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36187" }, { "cve": "CVE-2020-36188", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36188" }, { "cve": "CVE-2020-36189", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36189" }, { "cve": "CVE-2020-36516", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36516" }, { "cve": "CVE-2020-36518", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36518" }, { "cve": "CVE-2020-36557", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36557" }, { "cve": "CVE-2020-36558", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36558" }, { "cve": "CVE-2020-36691", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-36691" }, { "cve": "CVE-2020-7238", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-7238" }, { "cve": "CVE-2020-8840", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-8840" }, { "cve": "CVE-2020-8908", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-8908" }, { "cve": "CVE-2020-8911", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-8911" }, { "cve": "CVE-2020-8912", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-8912" }, { "cve": "CVE-2020-9488", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-9488" }, { "cve": "CVE-2020-9493", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-9493" }, { "cve": "CVE-2020-9546", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-9546" }, { "cve": "CVE-2020-9547", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-9547" }, { "cve": "CVE-2020-9548", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2020-9548" }, { "cve": "CVE-2021-20190", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-20190" }, { "cve": "CVE-2021-20323", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-20323" }, { "cve": "CVE-2021-21290", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-21290" }, { "cve": "CVE-2021-21295", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-21295" }, { "cve": "CVE-2021-21409", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-21409" }, { "cve": "CVE-2021-23840", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-23840" }, { "cve": "CVE-2021-23841", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-23841" }, { "cve": "CVE-2021-2471", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-2471" }, { "cve": "CVE-2021-25642", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-25642" }, { "cve": "CVE-2021-26341", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-26341" }, { "cve": "CVE-2021-27918", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-27918" }, { "cve": "CVE-2021-28153", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-28153" }, { "cve": "CVE-2021-28165", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-28165" }, { "cve": "CVE-2021-28169", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-28169" }, { "cve": "CVE-2021-28861", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-28861" }, { "cve": "CVE-2021-29425", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-29425" }, { "cve": "CVE-2021-30560", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-30560" }, { "cve": "CVE-2021-3114", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3114" }, { "cve": "CVE-2021-33036", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-33036" }, { "cve": "CVE-2021-33194", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-33194" }, { "cve": "CVE-2021-33195", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-33195" }, { "cve": "CVE-2021-33196", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-33196" }, { "cve": "CVE-2021-33197", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-33197" }, { "cve": "CVE-2021-33503", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-33503" }, { "cve": "CVE-2021-33655", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-33655" }, { "cve": "CVE-2021-33656", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-33656" }, { "cve": "CVE-2021-3424", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3424" }, { "cve": "CVE-2021-34428", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-34428" }, { "cve": "CVE-2021-3449", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3449" }, { "cve": "CVE-2021-3450", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3450" }, { "cve": "CVE-2021-3530", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3530" }, { "cve": "CVE-2021-36221", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-36221" }, { "cve": "CVE-2021-36373", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-36373" }, { "cve": "CVE-2021-36374", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-36374" }, { "cve": "CVE-2021-3648", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3648" }, { "cve": "CVE-2021-36690", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-36690" }, { "cve": "CVE-2021-3711", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3711" }, { "cve": "CVE-2021-3712", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3712" }, { "cve": "CVE-2021-37136", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-37136" }, { "cve": "CVE-2021-37137", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-37137" }, { "cve": "CVE-2021-37404", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-37404" }, { "cve": "CVE-2021-37533", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-37533" }, { "cve": "CVE-2021-3754", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3754" }, { "cve": "CVE-2021-3778", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3778" }, { "cve": "CVE-2021-3796", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3796" }, { "cve": "CVE-2021-3826", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3826" }, { "cve": "CVE-2021-3827", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3827" }, { "cve": "CVE-2021-38297", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-38297" }, { "cve": "CVE-2021-3872", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3872" }, { "cve": "CVE-2021-3875", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3875" }, { "cve": "CVE-2021-3903", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3903" }, { "cve": "CVE-2021-3923", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3923" }, { "cve": "CVE-2021-3927", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3927" }, { "cve": "CVE-2021-3928", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3928" }, { "cve": "CVE-2021-3968", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3968" }, { "cve": "CVE-2021-3973", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3973" }, { "cve": "CVE-2021-3974", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3974" }, { "cve": "CVE-2021-3984", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-3984" }, { "cve": "CVE-2021-4019", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-4019" }, { "cve": "CVE-2021-4037", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-4037" }, { "cve": "CVE-2021-4069", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-4069" }, { "cve": "CVE-2021-4104", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-4104" }, { "cve": "CVE-2021-4136", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-4136" }, { "cve": "CVE-2021-4157", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-4157" }, { "cve": "CVE-2021-4166", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-4166" }, { "cve": "CVE-2021-41771", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-41771" }, { "cve": "CVE-2021-4192", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-4192" }, { "cve": "CVE-2021-4193", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-4193" }, { "cve": "CVE-2021-4203", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-4203" }, { "cve": "CVE-2021-42567", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-42567" }, { "cve": "CVE-2021-43797", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-43797" }, { "cve": "CVE-2021-44531", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-44531" }, { "cve": "CVE-2021-44532", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-44532" }, { "cve": "CVE-2021-44533", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-44533" }, { "cve": "CVE-2021-44716", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-44716" }, { "cve": "CVE-2021-44878", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-44878" }, { "cve": "CVE-2021-45078", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-45078" }, { "cve": "CVE-2021-46195", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-46195" }, { "cve": "CVE-2021-46828", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-46828" }, { "cve": "CVE-2021-46848", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2021-46848" }, { "cve": "CVE-2022-0128", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0128" }, { "cve": "CVE-2022-0213", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0213" }, { "cve": "CVE-2022-0225", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0225" }, { "cve": "CVE-2022-0261", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0261" }, { "cve": "CVE-2022-0318", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0318" }, { "cve": "CVE-2022-0319", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0319" }, { "cve": "CVE-2022-0351", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0351" }, { "cve": "CVE-2022-0359", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0359" }, { "cve": "CVE-2022-0361", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0361" }, { "cve": "CVE-2022-0392", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0392" }, { "cve": "CVE-2022-0407", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0407" }, { "cve": "CVE-2022-0413", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0413" }, { "cve": "CVE-2022-0561", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0561" }, { "cve": "CVE-2022-0696", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0696" }, { "cve": "CVE-2022-0778", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-0778" }, { "cve": "CVE-2022-1184", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1184" }, { "cve": "CVE-2022-1245", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1245" }, { "cve": "CVE-2022-1271", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1271" }, { "cve": "CVE-2022-1292", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1292" }, { "cve": "CVE-2022-1381", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1381" }, { "cve": "CVE-2022-1420", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1420" }, { "cve": "CVE-2022-1462", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1462" }, { "cve": "CVE-2022-1466", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1466" }, { "cve": "CVE-2022-1471", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1471" }, { "cve": "CVE-2022-1586", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1586" }, { "cve": "CVE-2022-1587", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1587" }, { "cve": "CVE-2022-1616", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1616" }, { "cve": "CVE-2022-1619", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1619" }, { "cve": "CVE-2022-1620", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1620" }, { "cve": "CVE-2022-1679", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1679" }, { "cve": "CVE-2022-1705", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1705" }, { "cve": "CVE-2022-1720", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1720" }, { "cve": "CVE-2022-1729", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1729" }, { "cve": "CVE-2022-1733", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1733" }, { "cve": "CVE-2022-1735", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1735" }, { "cve": "CVE-2022-1771", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1771" }, { "cve": "CVE-2022-1785", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1785" }, { "cve": "CVE-2022-1796", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1796" }, { "cve": "CVE-2022-1851", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1851" }, { "cve": "CVE-2022-1897", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1897" }, { "cve": "CVE-2022-1898", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1898" }, { "cve": "CVE-2022-1927", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1927" }, { "cve": "CVE-2022-1962", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1962" }, { "cve": "CVE-2022-1968", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1968" }, { "cve": "CVE-2022-1974", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1974" }, { "cve": "CVE-2022-1975", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-1975" }, { "cve": "CVE-2022-20132", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-20132" }, { "cve": "CVE-2022-20141", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-20141" }, { "cve": "CVE-2022-20154", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-20154" }, { "cve": "CVE-2022-20166", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-20166" }, { "cve": "CVE-2022-20368", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-20368" }, { "cve": "CVE-2022-20369", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-20369" }, { "cve": "CVE-2022-2047", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2047" }, { "cve": "CVE-2022-2048", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2048" }, { "cve": "CVE-2022-20567", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-20567" }, { "cve": "CVE-2022-2068", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2068" }, { "cve": "CVE-2022-2097", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2097" }, { "cve": "CVE-2022-21216", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21216" }, { "cve": "CVE-2022-21233", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21233" }, { "cve": "CVE-2022-2124", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2124" }, { "cve": "CVE-2022-2125", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2125" }, { "cve": "CVE-2022-2126", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2126" }, { "cve": "CVE-2022-2129", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2129" }, { "cve": "CVE-2022-21363", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21363" }, { "cve": "CVE-2022-21385", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21385" }, { "cve": "CVE-2022-21499", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21499" }, { "cve": "CVE-2022-2153", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2153" }, { "cve": "CVE-2022-21540", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21540" }, { "cve": "CVE-2022-21541", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21541" }, { "cve": "CVE-2022-21549", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21549" }, { "cve": "CVE-2022-21618", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21618" }, { "cve": "CVE-2022-21619", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21619" }, { "cve": "CVE-2022-21624", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21624" }, { "cve": "CVE-2022-21626", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21626" }, { "cve": "CVE-2022-21628", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21628" }, { "cve": "CVE-2022-21702", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-21702" }, { "cve": "CVE-2022-2175", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2175" }, { "cve": "CVE-2022-2182", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2182" }, { "cve": "CVE-2022-2183", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2183" }, { "cve": "CVE-2022-2206", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2206" }, { "cve": "CVE-2022-2207", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2207" }, { "cve": "CVE-2022-2208", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2208" }, { "cve": "CVE-2022-2210", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2210" }, { "cve": "CVE-2022-2231", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2231" }, { "cve": "CVE-2022-2256", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2256" }, { "cve": "CVE-2022-2257", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2257" }, { "cve": "CVE-2022-2264", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2264" }, { "cve": "CVE-2022-2284", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2284" }, { "cve": "CVE-2022-2285", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2285" }, { "cve": "CVE-2022-2286", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2286" }, { "cve": "CVE-2022-2287", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2287" }, { "cve": "CVE-2022-22976", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-22976" }, { "cve": "CVE-2022-22978", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-22978" }, { "cve": "CVE-2022-2304", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2304" }, { "cve": "CVE-2022-2318", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2318" }, { "cve": "CVE-2022-23302", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-23302" }, { "cve": "CVE-2022-23305", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-23305" }, { "cve": "CVE-2022-23307", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-23307" }, { "cve": "CVE-2022-2343", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2343" }, { "cve": "CVE-2022-2344", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2344" }, { "cve": "CVE-2022-2345", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2345" }, { "cve": "CVE-2022-23471", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-23471" }, { "cve": "CVE-2022-23521", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-23521" }, { "cve": "CVE-2022-23772", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-23772" }, { "cve": "CVE-2022-23773", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-23773" }, { "cve": "CVE-2022-24302", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-24302" }, { "cve": "CVE-2022-24329", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-24329" }, { "cve": "CVE-2022-24823", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-24823" }, { "cve": "CVE-2022-24903", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-24903" }, { "cve": "CVE-2022-2503", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2503" }, { "cve": "CVE-2022-25147", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-25147" }, { "cve": "CVE-2022-25168", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-25168" }, { "cve": "CVE-2022-2519", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2519" }, { "cve": "CVE-2022-2520", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2520" }, { "cve": "CVE-2022-2521", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2521" }, { "cve": "CVE-2022-2522", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2522" }, { "cve": "CVE-2022-25647", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-25647" }, { "cve": "CVE-2022-2571", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2571" }, { "cve": "CVE-2022-2580", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2580" }, { "cve": "CVE-2022-2581", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2581" }, { "cve": "CVE-2022-25857", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-25857" }, { "cve": "CVE-2022-2588", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2588" }, { "cve": "CVE-2022-2598", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2598" }, { "cve": "CVE-2022-26148", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-26148" }, { "cve": "CVE-2022-26365", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-26365" }, { "cve": "CVE-2022-26373", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-26373" }, { "cve": "CVE-2022-2639", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2639" }, { "cve": "CVE-2022-26612", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-26612" }, { "cve": "CVE-2022-2663", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2663" }, { "cve": "CVE-2022-27781", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-27781" }, { "cve": "CVE-2022-27782", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-27782" }, { "cve": "CVE-2022-27943", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-27943" }, { "cve": "CVE-2022-2795", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2795" }, { "cve": "CVE-2022-28131", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-28131" }, { "cve": "CVE-2022-2816", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2816" }, { "cve": "CVE-2022-2817", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2817" }, { "cve": "CVE-2022-2819", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2819" }, { "cve": "CVE-2022-28327", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-28327" }, { "cve": "CVE-2022-2845", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2845" }, { "cve": "CVE-2022-2849", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2849" }, { "cve": "CVE-2022-2862", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2862" }, { "cve": "CVE-2022-2867", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2867" }, { "cve": "CVE-2022-2868", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2868" }, { "cve": "CVE-2022-2869", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2869" }, { "cve": "CVE-2022-28693", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-28693" }, { "cve": "CVE-2022-2874", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2874" }, { "cve": "CVE-2022-28748", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-28748" }, { "cve": "CVE-2022-2880", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2880" }, { "cve": "CVE-2022-2889", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2889" }, { "cve": "CVE-2022-29162", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-29162" }, { "cve": "CVE-2022-29187", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-29187" }, { "cve": "CVE-2022-2923", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2923" }, { "cve": "CVE-2022-2946", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2946" }, { "cve": "CVE-2022-29526", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-29526" }, { "cve": "CVE-2022-29583", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-29583" }, { "cve": "CVE-2022-2964", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2964" }, { "cve": "CVE-2022-2977", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2977" }, { "cve": "CVE-2022-2980", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2980" }, { "cve": "CVE-2022-2982", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2982" }, { "cve": "CVE-2022-29900", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-29900" }, { "cve": "CVE-2022-29901", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-29901" }, { "cve": "CVE-2022-2991", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-2991" }, { "cve": "CVE-2022-3016", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3016" }, { "cve": "CVE-2022-3028", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3028" }, { "cve": "CVE-2022-3037", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3037" }, { "cve": "CVE-2022-30580", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-30580" }, { "cve": "CVE-2022-30630", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-30630" }, { "cve": "CVE-2022-30631", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-30631" }, { "cve": "CVE-2022-30632", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-30632" }, { "cve": "CVE-2022-30633", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-30633" }, { "cve": "CVE-2022-3099", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3099" }, { "cve": "CVE-2022-31030", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-31030" }, { "cve": "CVE-2022-31159", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-31159" }, { "cve": "CVE-2022-3134", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3134" }, { "cve": "CVE-2022-3153", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3153" }, { "cve": "CVE-2022-3169", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3169" }, { "cve": "CVE-2022-31690", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-31690" }, { "cve": "CVE-2022-32148", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-32148" }, { "cve": "CVE-2022-32149", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-32149" }, { "cve": "CVE-2022-32206", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-32206" }, { "cve": "CVE-2022-32208", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-32208" }, { "cve": "CVE-2022-32221", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-32221" }, { "cve": "CVE-2022-3234", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3234" }, { "cve": "CVE-2022-3235", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3235" }, { "cve": "CVE-2022-3239", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3239" }, { "cve": "CVE-2022-3278", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3278" }, { "cve": "CVE-2022-3296", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3296" }, { "cve": "CVE-2022-3297", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3297" }, { "cve": "CVE-2022-33196", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-33196" }, { "cve": "CVE-2022-3324", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3324" }, { "cve": "CVE-2022-3352", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3352" }, { "cve": "CVE-2022-33740", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-33740" }, { "cve": "CVE-2022-33741", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-33741" }, { "cve": "CVE-2022-33742", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-33742" }, { "cve": "CVE-2022-33972", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-33972" }, { "cve": "CVE-2022-33981", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-33981" }, { "cve": "CVE-2022-34169", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-34169" }, { "cve": "CVE-2022-3424", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3424" }, { "cve": "CVE-2022-34266", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-34266" }, { "cve": "CVE-2022-34526", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-34526" }, { "cve": "CVE-2022-34903", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-34903" }, { "cve": "CVE-2022-3491", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3491" }, { "cve": "CVE-2022-3515", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3515" }, { "cve": "CVE-2022-3520", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3520" }, { "cve": "CVE-2022-3521", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3521" }, { "cve": "CVE-2022-3524", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3524" }, { "cve": "CVE-2022-35252", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-35252" }, { "cve": "CVE-2022-3542", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3542" }, { "cve": "CVE-2022-3545", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3545" }, { "cve": "CVE-2022-3564", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3564" }, { "cve": "CVE-2022-3565", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3565" }, { "cve": "CVE-2022-3566", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3566" }, { "cve": "CVE-2022-3567", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3567" }, { "cve": "CVE-2022-35737", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-35737" }, { "cve": "CVE-2022-3586", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3586" }, { "cve": "CVE-2022-3591", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3591" }, { "cve": "CVE-2022-3594", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3594" }, { "cve": "CVE-2022-3597", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3597" }, { "cve": "CVE-2022-3599", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3599" }, { "cve": "CVE-2022-36109", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-36109" }, { "cve": "CVE-2022-3621", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3621" }, { "cve": "CVE-2022-3626", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3626" }, { "cve": "CVE-2022-3627", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3627" }, { "cve": "CVE-2022-3628", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3628" }, { "cve": "CVE-2022-36280", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-36280" }, { "cve": "CVE-2022-3629", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3629" }, { "cve": "CVE-2022-3635", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3635" }, { "cve": "CVE-2022-3643", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3643" }, { "cve": "CVE-2022-36437", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-36437" }, { "cve": "CVE-2022-3646", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3646" }, { "cve": "CVE-2022-3649", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3649" }, { "cve": "CVE-2022-36760", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-36760" }, { "cve": "CVE-2022-36879", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-36879" }, { "cve": "CVE-2022-36946", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-36946" }, { "cve": "CVE-2022-3705", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3705" }, { "cve": "CVE-2022-37434", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-37434" }, { "cve": "CVE-2022-37436", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-37436" }, { "cve": "CVE-2022-37865", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-37865" }, { "cve": "CVE-2022-37866", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-37866" }, { "cve": "CVE-2022-38090", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38090" }, { "cve": "CVE-2022-38096", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38096" }, { "cve": "CVE-2022-38126", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38126" }, { "cve": "CVE-2022-38127", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38127" }, { "cve": "CVE-2022-38177", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38177" }, { "cve": "CVE-2022-38178", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38178" }, { "cve": "CVE-2022-3821", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3821" }, { "cve": "CVE-2022-38533", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38533" }, { "cve": "CVE-2022-38749", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38749" }, { "cve": "CVE-2022-38750", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38750" }, { "cve": "CVE-2022-38751", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38751" }, { "cve": "CVE-2022-38752", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-38752" }, { "cve": "CVE-2022-39028", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-39028" }, { "cve": "CVE-2022-3903", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3903" }, { "cve": "CVE-2022-39188", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-39188" }, { "cve": "CVE-2022-39399", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-39399" }, { "cve": "CVE-2022-3970", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-3970" }, { "cve": "CVE-2022-40149", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40149" }, { "cve": "CVE-2022-40150", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40150" }, { "cve": "CVE-2022-40151", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40151" }, { "cve": "CVE-2022-40152", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40152" }, { "cve": "CVE-2022-40153", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40153" }, { "cve": "CVE-2022-40303", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40303" }, { "cve": "CVE-2022-40304", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40304" }, { "cve": "CVE-2022-40307", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40307" }, { "cve": "CVE-2022-40674", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40674" }, { "cve": "CVE-2022-40768", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40768" }, { "cve": "CVE-2022-40899", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-40899" }, { "cve": "CVE-2022-4095", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-4095" }, { "cve": "CVE-2022-41218", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41218" }, { "cve": "CVE-2022-4129", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-4129" }, { "cve": "CVE-2022-4141", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-4141" }, { "cve": "CVE-2022-41717", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41717" }, { "cve": "CVE-2022-41721", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41721" }, { "cve": "CVE-2022-41848", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41848" }, { "cve": "CVE-2022-41850", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41850" }, { "cve": "CVE-2022-41854", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41854" }, { "cve": "CVE-2022-41858", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41858" }, { "cve": "CVE-2022-41881", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41881" }, { "cve": "CVE-2022-41903", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41903" }, { "cve": "CVE-2022-41915", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41915" }, { "cve": "CVE-2022-41966", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41966" }, { "cve": "CVE-2022-41974", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-41974" }, { "cve": "CVE-2022-42003", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42003" }, { "cve": "CVE-2022-42004", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42004" }, { "cve": "CVE-2022-42010", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42010" }, { "cve": "CVE-2022-42011", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42011" }, { "cve": "CVE-2022-42012", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42012" }, { "cve": "CVE-2022-42328", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42328" }, { "cve": "CVE-2022-42329", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42329" }, { "cve": "CVE-2022-42703", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42703" }, { "cve": "CVE-2022-42889", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42889" }, { "cve": "CVE-2022-42895", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42895" }, { "cve": "CVE-2022-42896", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42896" }, { "cve": "CVE-2022-42898", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42898" }, { "cve": "CVE-2022-4292", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-4292" }, { "cve": "CVE-2022-4293", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-4293" }, { "cve": "CVE-2022-42969", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-42969" }, { "cve": "CVE-2022-4304", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-4304" }, { "cve": "CVE-2022-43552", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-43552" }, { "cve": "CVE-2022-43680", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-43680" }, { "cve": "CVE-2022-43750", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-43750" }, { "cve": "CVE-2022-4378", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-4378" }, { "cve": "CVE-2022-43945", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-43945" }, { "cve": "CVE-2022-43995", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-43995" }, { "cve": "CVE-2022-4415", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-4415" }, { "cve": "CVE-2022-4450", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-4450" }, { "cve": "CVE-2022-44638", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-44638" }, { "cve": "CVE-2022-45061", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-45061" }, { "cve": "CVE-2022-45688", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-45688" }, { "cve": "CVE-2022-45884", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-45884" }, { "cve": "CVE-2022-45885", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-45885" }, { "cve": "CVE-2022-45886", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-45886" }, { "cve": "CVE-2022-45887", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-45887" }, { "cve": "CVE-2022-45919", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-45919" }, { "cve": "CVE-2022-45934", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-45934" }, { "cve": "CVE-2022-45939", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-45939" }, { "cve": "CVE-2022-4662", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-4662" }, { "cve": "CVE-2022-46751", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-46751" }, { "cve": "CVE-2022-46908", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-46908" }, { "cve": "CVE-2022-47629", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-47629" }, { "cve": "CVE-2022-47929", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-47929" }, { "cve": "CVE-2022-48281", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-48281" }, { "cve": "CVE-2022-48337", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-48337" }, { "cve": "CVE-2022-48339", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2022-48339" }, { "cve": "CVE-2023-0045", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0045" }, { "cve": "CVE-2023-0049", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0049" }, { "cve": "CVE-2023-0051", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0051" }, { "cve": "CVE-2023-0054", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0054" }, { "cve": "CVE-2023-0215", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0215" }, { "cve": "CVE-2023-0286", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0286" }, { "cve": "CVE-2023-0288", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0288" }, { "cve": "CVE-2023-0433", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0433" }, { "cve": "CVE-2023-0464", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0464" }, { "cve": "CVE-2023-0465", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0465" }, { "cve": "CVE-2023-0466", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0466" }, { "cve": "CVE-2023-0512", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0512" }, { "cve": "CVE-2023-0590", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0590" }, { "cve": "CVE-2023-0597", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0597" }, { "cve": "CVE-2023-0833", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-0833" }, { "cve": "CVE-2023-1076", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1076" }, { "cve": "CVE-2023-1095", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1095" }, { "cve": "CVE-2023-1118", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1118" }, { "cve": "CVE-2023-1127", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1127" }, { "cve": "CVE-2023-1170", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1170" }, { "cve": "CVE-2023-1175", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1175" }, { "cve": "CVE-2023-1370", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1370" }, { "cve": "CVE-2023-1380", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1380" }, { "cve": "CVE-2023-1390", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1390" }, { "cve": "CVE-2023-1436", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1436" }, { "cve": "CVE-2023-1513", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1513" }, { "cve": "CVE-2023-1611", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1611" }, { "cve": "CVE-2023-1670", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1670" }, { "cve": "CVE-2023-1855", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1855" }, { "cve": "CVE-2023-1989", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1989" }, { "cve": "CVE-2023-1990", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1990" }, { "cve": "CVE-2023-1998", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-1998" }, { "cve": "CVE-2023-20862", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-20862" }, { "cve": "CVE-2023-2124", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-2124" }, { "cve": "CVE-2023-2162", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-2162" }, { "cve": "CVE-2023-2176", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-2176" }, { "cve": "CVE-2023-21830", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-21830" }, { "cve": "CVE-2023-21835", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-21835" }, { "cve": "CVE-2023-21843", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-21843" }, { "cve": "CVE-2023-21930", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-21930" }, { "cve": "CVE-2023-21937", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-21937" }, { "cve": "CVE-2023-21938", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-21938" }, { "cve": "CVE-2023-21939", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-21939" }, { "cve": "CVE-2023-2194", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-2194" }, { "cve": "CVE-2023-21954", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-21954" }, { "cve": "CVE-2023-21967", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-21967" }, { "cve": "CVE-2023-21968", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-21968" }, { "cve": "CVE-2023-22490", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-22490" }, { "cve": "CVE-2023-2253", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-2253" }, { "cve": "CVE-2023-22809", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-22809" }, { "cve": "CVE-2023-23454", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-23454" }, { "cve": "CVE-2023-23455", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-23455" }, { "cve": "CVE-2023-23559", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-23559" }, { "cve": "CVE-2023-23916", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-23916" }, { "cve": "CVE-2023-23946", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-23946" }, { "cve": "CVE-2023-24329", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-24329" }, { "cve": "CVE-2023-24532", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-24532" }, { "cve": "CVE-2023-24534", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-24534" }, { "cve": "CVE-2023-2483", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-2483" }, { "cve": "CVE-2023-24998", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-24998" }, { "cve": "CVE-2023-2513", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-2513" }, { "cve": "CVE-2023-25193", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-25193" }, { "cve": "CVE-2023-25652", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-25652" }, { "cve": "CVE-2023-25690", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-25690" }, { "cve": "CVE-2023-25809", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-25809" }, { "cve": "CVE-2023-25815", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-25815" }, { "cve": "CVE-2023-26048", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-26048" }, { "cve": "CVE-2023-26049", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-26049" }, { "cve": "CVE-2023-2650", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-2650" }, { "cve": "CVE-2023-26545", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-26545" }, { "cve": "CVE-2023-26604", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-26604" }, { "cve": "CVE-2023-27533", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-27533" }, { "cve": "CVE-2023-27534", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-27534" }, { "cve": "CVE-2023-27535", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-27535" }, { "cve": "CVE-2023-27536", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-27536" }, { "cve": "CVE-2023-27538", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-27538" }, { "cve": "CVE-2023-27561", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-27561" }, { "cve": "CVE-2023-2828", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-2828" }, { "cve": "CVE-2023-28320", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28320" }, { "cve": "CVE-2023-28321", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28321" }, { "cve": "CVE-2023-28322", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28322" }, { "cve": "CVE-2023-28328", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28328" }, { "cve": "CVE-2023-28464", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28464" }, { "cve": "CVE-2023-28486", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28486" }, { "cve": "CVE-2023-28487", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28487" }, { "cve": "CVE-2023-28642", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28642" }, { "cve": "CVE-2023-28772", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28772" }, { "cve": "CVE-2023-28840", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28840" }, { "cve": "CVE-2023-28841", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28841" }, { "cve": "CVE-2023-28842", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-28842" }, { "cve": "CVE-2023-29007", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-29007" }, { "cve": "CVE-2023-29383", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-29383" }, { "cve": "CVE-2023-29402", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-29402" }, { "cve": "CVE-2023-29406", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-29406" }, { "cve": "CVE-2023-29409", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-29409" }, { "cve": "CVE-2023-2976", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-2976" }, { "cve": "CVE-2023-30630", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-30630" }, { "cve": "CVE-2023-30772", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-30772" }, { "cve": "CVE-2023-31084", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-31084" }, { "cve": "CVE-2023-3138", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-3138" }, { "cve": "CVE-2023-31436", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-31436" }, { "cve": "CVE-2023-31484", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-31484" }, { "cve": "CVE-2023-32269", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-32269" }, { "cve": "CVE-2023-32697", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-32697" }, { "cve": "CVE-2023-33264", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-33264" }, { "cve": "CVE-2023-34034", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-34034" }, { "cve": "CVE-2023-34035", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-34035" }, { "cve": "CVE-2023-34453", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-34453" }, { "cve": "CVE-2023-34454", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-34454" }, { "cve": "CVE-2023-34455", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-34455" }, { "cve": "CVE-2023-34462", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-34462" }, { "cve": "CVE-2023-35116", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-35116" }, { "cve": "CVE-2023-3635", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-3635" }, { "cve": "CVE-2023-36479", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-36479" }, { "cve": "CVE-2023-39533", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-39533" }, { "cve": "CVE-2023-40167", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-40167" }, { "cve": "CVE-2023-40217", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-40217" }, { "cve": "CVE-2023-41105", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-41105" }, { "cve": "CVE-2023-41900", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-41900" }, { "cve": "CVE-2023-43642", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-43642" }, { "cve": "CVE-2023-43804", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-43804" }, { "cve": "CVE-2023-44487", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-44487" }, { "cve": "CVE-2023-45803", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2023-45803" }, { "cve": "CVE-2024-21626", "notes": [ { "category": "description", "text": "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuf\u00fchren." } ], "release_date": "2024-04-04T22:00:00Z", "title": "CVE-2024-21626" } ] }
wid-sec-w-2023-0063
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Junos Space ist eine Software-Plattform, die eine Reihe von Applikationen f\u00fcr das Netzwerkmanagement beinhaltet.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Juniper Junos Space ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern.", "title": "Angriff" }, { "category": "general", "text": "- Juniper Appliance", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-0063 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2023-0063.json" }, { "category": "self", "summary": "WID-SEC-2023-0063 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0063" }, { "category": "external", "summary": "Juniper Security Advisory JSA70182 vom 2023-01-12", "url": "https://supportportal.juniper.net/s/article/2023-01-Security-Bulletin-Contrail-Service-Orchestration-Multiple-vulnerabilities-resolved-in-CSO-6-3-0?language=en_US" }, { "category": "external", "summary": "Juniper Security Advisory vom 2022-01-12", "url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA11287\u0026cat=SIRT_1" } ], "source_lang": "en-US", "title": "Juniper Junos Space: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-01-11T23:00:00.000+00:00", "generator": { "date": "2024-02-15T17:09:11.163+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-0063", "initial_release_date": "2022-01-12T23:00:00.000+00:00", "revision_history": [ { "date": "2022-01-12T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-01-11T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Juniper aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Juniper Contrail Service Orchestration", "product": { "name": "Juniper Contrail Service Orchestration", "product_id": "T025794", "product_identification_helper": { "cpe": "cpe:/a:juniper:contrail_service_orchestration:-" } } }, { "category": "product_name", "name": "Juniper Junos Space \u003c 21.3R1", "product": { "name": "Juniper Junos Space \u003c 21.3R1", "product_id": "T021576", "product_identification_helper": { "cpe": "cpe:/a:juniper:junos_space:21.3r1" } } } ], "category": "vendor", "name": "Juniper" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-17543", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2019-17543" }, { "cve": "CVE-2019-20934", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2019-20934" }, { "cve": "CVE-2020-0543", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-0543" }, { "cve": "CVE-2020-0548", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-0548" }, { "cve": "CVE-2020-0549", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-0549" }, { "cve": "CVE-2020-11022", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-11022" }, { "cve": "CVE-2020-11023", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-11023" }, { "cve": "CVE-2020-11668", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-11668" }, { "cve": "CVE-2020-11984", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-11984" }, { "cve": "CVE-2020-11993", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-11993" }, { "cve": "CVE-2020-12362", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-12362" }, { "cve": "CVE-2020-12363", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-12363" }, { "cve": "CVE-2020-12364", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-12364" }, { "cve": "CVE-2020-1927", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-1927" }, { "cve": "CVE-2020-1934", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-1934" }, { "cve": "CVE-2020-24489", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-24489" }, { "cve": "CVE-2020-24511", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-24511" }, { "cve": "CVE-2020-24512", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-24512" }, { "cve": "CVE-2020-27170", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-27170" }, { "cve": "CVE-2020-27777", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-27777" }, { "cve": "CVE-2020-29443", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-29443" }, { "cve": "CVE-2020-8625", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-8625" }, { "cve": "CVE-2020-8648", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-8648" }, { "cve": "CVE-2020-8695", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-8695" }, { "cve": "CVE-2020-8696", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-8696" }, { "cve": "CVE-2020-8698", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-8698" }, { "cve": "CVE-2020-9490", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2020-9490" }, { "cve": "CVE-2021-20254", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-20254" }, { "cve": "CVE-2021-22555", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-22555" }, { "cve": "CVE-2021-22901", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-22901" }, { "cve": "CVE-2021-2341", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-2341" }, { "cve": "CVE-2021-2342", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-2342" }, { "cve": "CVE-2021-2356", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-2356" }, { "cve": "CVE-2021-2369", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-2369" }, { "cve": "CVE-2021-2372", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-2372" }, { "cve": "CVE-2021-2385", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-2385" }, { "cve": "CVE-2021-2388", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-2388" }, { "cve": "CVE-2021-2389", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-2389" }, { "cve": "CVE-2021-2390", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-2390" }, { "cve": "CVE-2021-25214", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-25214" }, { "cve": "CVE-2021-25217", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-25217" }, { "cve": "CVE-2021-27219", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-27219" }, { "cve": "CVE-2021-29154", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-29154" }, { "cve": "CVE-2021-29650", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-29650" }, { "cve": "CVE-2021-31535", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-31535" }, { "cve": "CVE-2021-32399", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-32399" }, { "cve": "CVE-2021-33033", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-33033" }, { "cve": "CVE-2021-33034", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-33034" }, { "cve": "CVE-2021-3347", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-3347" }, { "cve": "CVE-2021-33909", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-33909" }, { "cve": "CVE-2021-3653", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-3653" }, { "cve": "CVE-2021-3656", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-3656" }, { "cve": "CVE-2021-3715", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-3715" }, { "cve": "CVE-2021-37576", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-37576" }, { "cve": "CVE-2021-4104", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-4104" }, { "cve": "CVE-2021-42550", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-42550" }, { "cve": "CVE-2021-44228", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-44228" }, { "cve": "CVE-2021-45046", "notes": [ { "category": "description", "text": "In Juniper Junos Space existieren mehrere Schwachstellen. Die Fehler existieren in verschiedenen Komponenten und Bibliotheken, darunter LZ4, Linux Kernel, Intel Prozessoren, Apache HTTP Server, BIND, Intel VT-d, Intel Grafiktreiber, KVM Hypervisor, QEMU, Java SE, MySQL Server, samba, curl, GNOME, jQuery, Apache Log4j und logback. Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszul\u00f6sen, beliebigen Code auszuf\u00fchren und seine Privilegien zu erweitern. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion und erh\u00f6hte Rechte." } ], "product_status": { "known_affected": [ "T025794" ] }, "release_date": "2022-01-12T23:00:00Z", "title": "CVE-2021-45046" } ] }
wid-sec-w-2023-1807
Vulnerability from csaf_certbund
Notes
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Oracle Fusion Middleware b\u00fcndelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-1807 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1807.json" }, { "category": "self", "summary": "WID-SEC-2023-1807 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1807" }, { "category": "external", "summary": "Oracle Critical Patch Update Advisory - July 2023 - Appendix Oracle Fusion Middleware vom 2023-07-18", "url": "https://www.oracle.com/security-alerts/cpujul2023.html#AppendixFMW" }, { "category": "external", "summary": "Dell Security Advisory DSA-2023-409 vom 2023-12-23", "url": "https://www.dell.com/support/kbdoc/000220669/dsa-2023-=" } ], "source_lang": "en-US", "title": "Oracle Fusion Middleware: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-12-26T23:00:00.000+00:00", "generator": { "date": "2024-02-15T17:37:19.280+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-1807", "initial_release_date": "2023-07-18T22:00:00.000+00:00", "revision_history": [ { "date": "2023-07-18T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-12-26T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Dell aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Oracle Fusion Middleware 12.2.1.3.0", "product": { "name": "Oracle Fusion Middleware 12.2.1.3.0", "product_id": "618028", "product_identification_helper": { "cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.3.0" } } }, { "category": "product_name", "name": "Oracle Fusion Middleware 12.2.1.4.0", "product": { "name": "Oracle Fusion Middleware 12.2.1.4.0", "product_id": "751674", "product_identification_helper": { "cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.4.0" } } }, { "category": "product_name", "name": "Oracle Fusion Middleware 14.1.1.0.0", "product": { "name": "Oracle Fusion Middleware 14.1.1.0.0", "product_id": "829576", "product_identification_helper": { "cpe": "cpe:/a:oracle:fusion_middleware:14.1.1.0.0" } } }, { "category": "product_name", "name": "Oracle Fusion Middleware 9.1.0", "product": { "name": "Oracle Fusion Middleware 9.1.0", "product_id": "T022847", "product_identification_helper": { "cpe": "cpe:/a:oracle:fusion_middleware:9.1.0" } } }, { "category": "product_name", "name": "Oracle Fusion Middleware \u003c 11.1.2.3.1", "product": { "name": "Oracle Fusion Middleware \u003c 11.1.2.3.1", "product_id": "T028708", "product_identification_helper": { "cpe": "cpe:/a:oracle:fusion_middleware:11.1.2.3.1" } } } ], "category": "product_name", "name": "Fusion Middleware" } ], "category": "vendor", "name": "Oracle" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-26119", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-26119" }, { "cve": "CVE-2023-26049", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-26049" }, { "cve": "CVE-2023-25690", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-25690" }, { "cve": "CVE-2023-25194", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-25194" }, { "cve": "CVE-2023-24998", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-24998" }, { "cve": "CVE-2023-23914", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-23914" }, { "cve": "CVE-2023-22899", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-22899" }, { "cve": "CVE-2023-22040", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-22040" }, { "cve": "CVE-2023-22031", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-22031" }, { "cve": "CVE-2023-21994", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-21994" }, { "cve": "CVE-2023-20863", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-20863" }, { "cve": "CVE-2023-20861", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-20861" }, { "cve": "CVE-2023-20860", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-20860" }, { "cve": "CVE-2023-1436", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-1436" }, { "cve": "CVE-2023-1370", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-1370" }, { "cve": "CVE-2022-45688", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-45688" }, { "cve": "CVE-2022-45047", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-45047" }, { "cve": "CVE-2022-43680", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-43680" }, { "cve": "CVE-2022-42920", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-42920" }, { "cve": "CVE-2022-42890", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-42890" }, { "cve": "CVE-2022-41966", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-41966" }, { "cve": "CVE-2022-41853", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-41853" }, { "cve": "CVE-2022-40152", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-40152" }, { "cve": "CVE-2022-36033", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-36033" }, { "cve": "CVE-2022-33879", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-33879" }, { "cve": "CVE-2022-31197", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-31197" }, { "cve": "CVE-2022-29546", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-29546" }, { "cve": "CVE-2022-25647", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-25647" }, { "cve": "CVE-2022-24409", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-24409" }, { "cve": "CVE-2022-23437", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-23437" }, { "cve": "CVE-2021-46877", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2021-46877" }, { "cve": "CVE-2021-43113", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2021-43113" }, { "cve": "CVE-2021-42575", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2021-42575" }, { "cve": "CVE-2021-41184", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2021-41184" }, { "cve": "CVE-2021-4104", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2021-4104" }, { "cve": "CVE-2021-37533", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2021-37533" }, { "cve": "CVE-2021-36374", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2021-36374" }, { "cve": "CVE-2021-36090", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2021-36090" }, { "cve": "CVE-2021-34429", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2021-34429" }, { "cve": "CVE-2021-33813", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2021-33813" }, { "cve": "CVE-2021-29425", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2021-29425" }, { "cve": "CVE-2021-28168", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2021-28168" }, { "cve": "CVE-2021-26117", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2021-26117" }, { "cve": "CVE-2021-23926", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2021-23926" }, { "cve": "CVE-2020-8908", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2020-8908" }, { "cve": "CVE-2020-36518", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2020-36518" }, { "cve": "CVE-2020-17521", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2020-17521" }, { "cve": "CVE-2020-13956", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2020-13956" }, { "cve": "CVE-2020-13936", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T022847", "618028", "751674", "829576" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2020-13936" } ] }
ghsa-fp5r-v3w9-4333
Vulnerability from github
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "log4j:log4j" }, "ranges": [ { "events": [ { "introduced": "1.2.0" }, { "last_affected": "1.2.17" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.zenframework.z8.dependencies.commons:log4j-1.2.17" }, "ranges": [ { "events": [ { "introduced": "0" }, { "last_affected": "2.0" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2021-4104" ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2021-12-14T19:47:27Z", "nvd_published_at": "2021-12-14T12:15:00Z", "severity": "HIGH" }, "details": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", "id": "GHSA-fp5r-v3w9-4333", "modified": "2023-10-26T15:04:19Z", "published": "2021-12-14T19:49:31Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" }, { "type": "WEB", "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2021-4104" }, { "type": "PACKAGE", "url": "https://github.com/apache/logging-log4j2" }, { "type": "WEB", "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202209-02" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202310-16" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-02" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202312-04" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20211223-0007" }, { "type": "WEB", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" }, { "type": "WEB", "url": "https://www.kb.cert.org/vuls/id/930724" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data" }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.