rhsa-2014_1021
Vulnerability from csaf_redhat
Published
2014-08-06 14:52
Modified
2024-11-05 18:32
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.3.0 update

Notes

Topic
Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.3.0 and fix multiple security issues, several bugs, and add various enhancements are now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
Details
Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. (CVE-2014-0226) A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the "DEFLATE" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system. (CVE-2014-0118) A denial of service flaw was found in the way OpenSSL handled certain DTLS ServerHello requests. A specially crafted DTLS handshake packet could cause a DTLS client using OpenSSL to crash. (CVE-2014-0221) Note: This update provides a fix for the CVE-2014-0221 issue in openssl packages for Solaris, HP-UX, and Microsoft Windows. A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. (CVE-2014-0231) A flaw was found in the WebSocket08FrameDecoder implementation that could allow a remote attacker to trigger an Out Of Memory Exception by issuing a series of TextWebSocketFrame and ContinuationWebSocketFrames. Depending on the server configuration, this could lead to a denial of service. (CVE-2014-0193) It was found that the isCallerInRole() method of the SimpleSecurityManager did not correctly check caller roles. A remote, authenticated attacker could use this flaw to circumvent the caller check in applications that use black list access control based on caller roles. (CVE-2014-3472) Red Hat would like to thank the OpenSSL project for reporting CVE-2014-0221; upstream acknowledges Imre Rad of Search-Lab as the original reporter of this issue. Red Hat would also like to thank James Roper of Typesafe for reporting CVE-2014-0193, and CA Technologies for reporting CVE-2014-3472. This release of JBoss Enterprise Application Platform also includes bug fixes and enhancements. Documentation for these changes will be available shortly from the JBoss Enterprise Application Platform 6.3.0 Release Notes, linked to in the References. All users of Red Hat JBoss Enterprise Application Platform 6.2 as provided from the Red Hat Customer Portal are advised to apply this update. The JBoss server process must be restarted for the update to take effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated packages that provide Red Hat JBoss Enterprise Application Platform\n6.3.0 and fix multiple security issues, several bugs, and add various\nenhancements are now available from the Red Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nA race condition flaw, leading to heap-based buffer overflows, was found in\nthe mod_status httpd module. A remote attacker able to access a status page\nserved by mod_status on a server using a threaded Multi-Processing Module\n(MPM) could send a specially crafted request that would cause the httpd\nchild process to crash or, possibly, allow the attacker to execute\narbitrary code with the privileges of the \"apache\" user. (CVE-2014-0226)\n\nA denial of service flaw was found in the way httpd\u0027s mod_deflate module\nhandled request body decompression (configured via the \"DEFLATE\" input\nfilter). A remote attacker able to send a request whose body would be\ndecompressed could use this flaw to consume an excessive amount of system\nmemory and CPU on the target system. (CVE-2014-0118)\n\nA denial of service flaw was found in the way OpenSSL handled certain DTLS\nServerHello requests. A specially crafted DTLS handshake packet could cause\na DTLS client using OpenSSL to crash. (CVE-2014-0221)\n\nNote: This update provides a fix for the CVE-2014-0221 issue in openssl\npackages for Solaris, HP-UX, and Microsoft Windows.\n\nA denial of service flaw was found in the way httpd\u0027s mod_cgid module\nexecuted CGI scripts that did not read data from the standard input.\nA remote attacker could submit a specially crafted request that would cause\nthe httpd child process to hang indefinitely. (CVE-2014-0231)\n\nA flaw was found in the WebSocket08FrameDecoder implementation that could\nallow a remote attacker to trigger an Out Of Memory Exception by issuing a\nseries of TextWebSocketFrame and ContinuationWebSocketFrames. Depending on\nthe server configuration, this could lead to a denial of service.\n(CVE-2014-0193)\n\nIt was found that the isCallerInRole() method of the SimpleSecurityManager\ndid not correctly check caller roles. A remote, authenticated attacker\ncould use this flaw to circumvent the caller check in applications that use\nblack list access control based on caller roles. (CVE-2014-3472)\n\nRed Hat would like to thank the OpenSSL project for reporting\nCVE-2014-0221; upstream acknowledges Imre Rad of Search-Lab as the original\nreporter of this issue. Red Hat would also like to thank James Roper of\nTypesafe for reporting CVE-2014-0193, and CA Technologies for reporting\nCVE-2014-3472.\n\nThis release of JBoss Enterprise Application Platform also includes bug\nfixes and enhancements. Documentation for these changes will be available\nshortly from the JBoss Enterprise Application Platform 6.3.0 Release Notes,\nlinked to in the References.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.2 as provided\nfrom the Red Hat Customer Portal are advised to apply this update.\nThe JBoss server process must be restarted for the update to take effect.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:1021",
        "url": "https://access.redhat.com/errata/RHSA-2014:1021"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=distributions\u0026version=6.3",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=distributions\u0026version=6.3"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html/6.3.0_Release_Notes/index.html",
        "url": "https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html/6.3.0_Release_Notes/index.html"
      },
      {
        "category": "external",
        "summary": "1092783",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1092783"
      },
      {
        "category": "external",
        "summary": "1103593",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1103593"
      },
      {
        "category": "external",
        "summary": "1103815",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1103815"
      },
      {
        "category": "external",
        "summary": "1120596",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1120596"
      },
      {
        "category": "external",
        "summary": "1120601",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1120601"
      },
      {
        "category": "external",
        "summary": "1120603",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1120603"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_1021.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.3.0 update",
    "tracking": {
      "current_release_date": "2024-11-05T18:32:14+00:00",
      "generator": {
        "date": "2024-11-05T18:32:14+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.1.1"
        }
      },
      "id": "RHSA-2014:1021",
      "initial_release_date": "2014-08-06T14:52:25+00:00",
      "revision_history": [
        {
          "date": "2014-08-06T14:52:25+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2014-08-06T14:52:25+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-05T18:32:14+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Enterprise Application Platform 6.3",
                "product": {
                  "name": "Red Hat JBoss Enterprise Application Platform 6.3",
                  "product_id": "Red Hat JBoss Enterprise Application Platform 6.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Enterprise Application Platform"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2014-0118",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2014-07-17T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1120601"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A denial of service flaw was found in the way httpd\u0027s mod_deflate module handled request body decompression (configured via the \"DEFLATE\" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "httpd: mod_deflate denial of service",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0118"
        },
        {
          "category": "external",
          "summary": "RHBZ#1120601",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1120601"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0118",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0118"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0118",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0118"
        },
        {
          "category": "external",
          "summary": "http://httpd.apache.org/security/vulnerabilities_24.html",
          "url": "http://httpd.apache.org/security/vulnerabilities_24.html"
        }
      ],
      "release_date": "2014-07-17T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-08-06T14:52:25+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting Red Hat JBoss Enterprise Application Platform installation and\ndeployed applications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:1021"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "httpd: mod_deflate denial of service"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "James Roper"
          ],
          "organization": "Typesafe"
        }
      ],
      "cve": "CVE-2014-0193",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2014-04-28T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1092783"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the WebSocket08FrameDecoder implementation that could allow a remote attacker to trigger an Out Of Memory Exception by issuing a series of TextWebSocketFrame and ContinuationWebSocketFrames. Depending on the server configuration, this could lead to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: DoS via memory exhaustion during data aggregation",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0193"
        },
        {
          "category": "external",
          "summary": "RHBZ#1092783",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1092783"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0193",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0193"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0193",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0193"
        }
      ],
      "release_date": "2014-05-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-08-06T14:52:25+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting Red Hat JBoss Enterprise Application Platform installation and\ndeployed applications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:1021"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "netty: DoS via memory exhaustion during data aggregation"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "OpenSSL project"
          ]
        },
        {
          "names": [
            "Imre Rad"
          ],
          "organization": "Search-Lab",
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2014-0221",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2014-06-02T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1103593"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A denial of service flaw was found in the way OpenSSL handled certain DTLS ServerHello requests. A specially crafted DTLS handshake packet could cause a DTLS client using OpenSSL to crash.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openssl: DoS when sending invalid DTLS handshake",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0221"
        },
        {
          "category": "external",
          "summary": "RHBZ#1103593",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1103593"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0221",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0221"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0221",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0221"
        },
        {
          "category": "external",
          "summary": "https://www.openssl.org/news/secadv_20140605.txt",
          "url": "https://www.openssl.org/news/secadv_20140605.txt"
        }
      ],
      "release_date": "2014-06-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-08-06T14:52:25+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting Red Hat JBoss Enterprise Application Platform installation and\ndeployed applications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:1021"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "openssl: DoS when sending invalid DTLS handshake"
    },
    {
      "cve": "CVE-2014-0226",
      "cwe": {
        "id": "CWE-122",
        "name": "Heap-based Buffer Overflow"
      },
      "discovery_date": "2014-07-17T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1120603"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the \"apache\" user.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "httpd: mod_status heap-based buffer overflow",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0226"
        },
        {
          "category": "external",
          "summary": "RHBZ#1120603",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1120603"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0226",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0226"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0226",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0226"
        },
        {
          "category": "external",
          "summary": "http://httpd.apache.org/security/vulnerabilities_24.html",
          "url": "http://httpd.apache.org/security/vulnerabilities_24.html"
        }
      ],
      "release_date": "2014-07-17T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-08-06T14:52:25+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting Red Hat JBoss Enterprise Application Platform installation and\ndeployed applications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:1021"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "httpd: mod_status heap-based buffer overflow"
    },
    {
      "cve": "CVE-2014-0227",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2014-06-12T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1109196"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was discovered that the ChunkedInputFilter in Tomcat did not fail subsequent attempts to read input after malformed chunked encoding was detected. A remote attacker could possibly use this flaw to make Tomcat process part of the request body as new request, or cause a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Tomcat/JBossWeb: request smuggling and limited DoS in ChunkedInputFilter",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0227"
        },
        {
          "category": "external",
          "summary": "RHBZ#1109196",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1109196"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0227",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0227"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0227",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0227"
        },
        {
          "category": "external",
          "summary": "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.43",
          "url": "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.43"
        },
        {
          "category": "external",
          "summary": "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.55",
          "url": "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.55"
        }
      ],
      "release_date": "2015-02-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-08-06T14:52:25+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting Red Hat JBoss Enterprise Application Platform installation and\ndeployed applications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:1021"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Tomcat/JBossWeb: request smuggling and limited DoS in ChunkedInputFilter"
    },
    {
      "cve": "CVE-2014-0231",
      "discovery_date": "2014-07-17T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1120596"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A denial of service flaw was found in the way httpd\u0027s mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "httpd: mod_cgid denial of service",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0231"
        },
        {
          "category": "external",
          "summary": "RHBZ#1120596",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1120596"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0231",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0231"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0231",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0231"
        },
        {
          "category": "external",
          "summary": "http://httpd.apache.org/security/vulnerabilities_24.html",
          "url": "http://httpd.apache.org/security/vulnerabilities_24.html"
        }
      ],
      "release_date": "2014-07-17T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-08-06T14:52:25+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting Red Hat JBoss Enterprise Application Platform installation and\ndeployed applications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:1021"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "httpd: mod_cgid denial of service"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Tomas Kyjovsky"
          ],
          "organization": "Red Hat Quality Engineering Team",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2014-3464",
      "discovery_date": "2014-05-27T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1102317"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that the fix for CVE-2013-2133 was incomplete: the JAX-WS handlers were being executed for outbound messages even when authorization had failed. A remote attacker who is authorized to access the EJB class, could invoke a JAX-WS handler which they were not authorized to invoke.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "WS: Incomplete fix for CVE-2013-2133",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-3464"
        },
        {
          "category": "external",
          "summary": "RHBZ#1102317",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1102317"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-3464",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-3464"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-3464",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3464"
        }
      ],
      "release_date": "2014-08-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-08-06T14:52:25+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting Red Hat JBoss Enterprise Application Platform installation and\ndeployed applications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:1021"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "WS: Incomplete fix for CVE-2013-2133"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "CA Technologies"
          ]
        }
      ],
      "cve": "CVE-2014-3472",
      "cwe": {
        "id": "CWE-184",
        "name": "Incomplete List of Disallowed Inputs"
      },
      "discovery_date": "2014-05-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1103815"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that the isCallerInRole() method of the SimpleSecurityManager did not correctly check caller roles. A remote, authenticated attacker could use this flaw to circumvent the caller check in applications that use black list access control based on caller roles.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Security: Invalid EJB caller role check implementation",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-3472"
        },
        {
          "category": "external",
          "summary": "RHBZ#1103815",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1103815"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-3472",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-3472"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-3472",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3472"
        }
      ],
      "release_date": "2014-08-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-08-06T14:52:25+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting Red Hat JBoss Enterprise Application Platform installation and\ndeployed applications.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:1021"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 2.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "Security: Invalid EJB caller role check implementation"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.