rhsa-2016_2036
Vulnerability from csaf_redhat
Published
2016-10-06 16:18
Modified
2024-11-22 09:16
Summary
Red Hat Security Advisory: Red Hat JBoss A-MQ 6.3 security update

Notes

Topic
Red Hat JBoss A-MQ 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications. Red Hat JBoss A-MQ 6.3 is a minor product release that updates Red Hat JBoss A-MQ 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes. Security Fix(es): It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437) A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192) It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940) Refer to the Product Documentation link in the References section for installation instructions.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat JBoss A-MQ 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications.\n\nRed Hat JBoss A-MQ 6.3 is a minor product release that updates Red Hat JBoss A-MQ 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes.\n\nSecurity Fix(es):\n\nIt was found that Apache Shiro uses a default cipher key for its \"remember me\" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437)\n\nA denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192)\n\nIt was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940)\n\nRefer to the Product Documentation link in the References section for installation instructions.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2016:2036",
        "url": "https://access.redhat.com/errata/RHSA-2016:2036"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq\u0026downloadType=distributions\u0026version=6.3.0",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq\u0026downloadType=distributions\u0026version=6.3.0"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3",
        "url": "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3"
      },
      {
        "category": "external",
        "summary": "1239002",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1239002"
      },
      {
        "category": "external",
        "summary": "1276272",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1276272"
      },
      {
        "category": "external",
        "summary": "1343346",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1343346"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2036.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss A-MQ 6.3 security update",
    "tracking": {
      "current_release_date": "2024-11-22T09:16:07+00:00",
      "generator": {
        "date": "2024-11-22T09:16:07+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2016:2036",
      "initial_release_date": "2016-10-06T16:18:02+00:00",
      "revision_history": [
        {
          "date": "2016-10-06T16:18:02+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-02-20T12:40:10+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T09:16:07+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss A-MQ 6.3",
                "product": {
                  "name": "Red Hat JBoss A-MQ 6.3",
                  "product_id": "Red Hat JBoss A-MQ 6.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_amq:6.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss AMQ"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2015-3192",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2015-06-30T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1239002"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Framework: denial-of-service attack with XML input",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss A-MQ 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-3192"
        },
        {
          "category": "external",
          "summary": "RHBZ#1239002",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1239002"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-3192",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-3192"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-3192",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3192"
        },
        {
          "category": "external",
          "summary": "http://pivotal.io/security/cve-2015-3192",
          "url": "http://pivotal.io/security/cve-2015-3192"
        }
      ],
      "release_date": "2015-06-30T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2016-10-06T16:18:02+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
          "product_ids": [
            "Red Hat JBoss A-MQ 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:2036"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss A-MQ 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Framework: denial-of-service attack with XML input"
    },
    {
      "cve": "CVE-2015-5254",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2015-12-08T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1291292"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that use of a JMS ObjectMessage does not safely handle user supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "ObjectMessage: unsafe deserialization",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "A malicious message producer needs to authenticate to EAP in order to send messages. Also, the use of JMS ObjectMessage needs to be chosen by the developer of the application. Therefore this issue is rated as moderate.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss A-MQ 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-5254"
        },
        {
          "category": "external",
          "summary": "RHBZ#1291292",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1291292"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-5254",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-5254"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5254",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5254"
        },
        {
          "category": "external",
          "summary": "http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt",
          "url": "http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt"
        }
      ],
      "release_date": "2015-12-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2016-10-06T16:18:02+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
          "product_ids": [
            "Red Hat JBoss A-MQ 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:2036"
        },
        {
          "category": "workaround",
          "details": "If you do deploy a JMS publisher, and subscriber, and don\u0027t trust the messages sent to you by your clients, you could mitigate this issue by installing a Java agent which restricts the classes which can be deserialized. This is an article with the recommended approach:\n\nhttps://access.redhat.com/solutions/2190911\n\nYou could also mitigate this issue using the features of the Java Virtual Machine added in JEP 290:\n\nhttp://openjdk.java.net/jeps/290",
          "product_ids": [
            "Red Hat JBoss A-MQ 6.3"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss A-MQ 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "ObjectMessage: unsafe deserialization"
    },
    {
      "cve": "CVE-2015-7940",
      "cwe": {
        "id": "CWE-358",
        "name": "Improperly Implemented Security Check for Standard"
      },
      "discovery_date": "2015-10-22T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1276272"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "bouncycastle: Invalid curve attack allowing to extract private keys",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss A-MQ 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-7940"
        },
        {
          "category": "external",
          "summary": "RHBZ#1276272",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1276272"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-7940",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-7940"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-7940",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7940"
        }
      ],
      "release_date": "2015-09-14T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2016-10-06T16:18:02+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
          "product_ids": [
            "Red Hat JBoss A-MQ 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:2036"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss A-MQ 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "bouncycastle: Invalid curve attack allowing to extract private keys"
    },
    {
      "cve": "CVE-2016-3088",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2016-05-24T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1339318"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "activemq: Fileserver web application vulnerability allowing RCE",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat JBoss A-MQ 6.3 , Red Hat JBoss Fuse 6.3, and Red Hat JBoss Fuse Service Works 6.0.0 do not provide the vulnerable component and are not affected by this flaw. Red Hat JBoss A-MQ 6.2.1 and Red Hat JBoss Fuse 6.2.1 disable the vulnerable component and as such are not vulnerable to this flaw. The fileserver component was first disabled in A-MQ 6.2.0 and Fuse 6.2.0. Users of older, unsupported versions of these products are strongly advised to observe the mitigation provided on this page.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss A-MQ 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-3088"
        },
        {
          "category": "external",
          "summary": "RHBZ#1339318",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1339318"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-3088",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-3088"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-3088",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3088"
        },
        {
          "category": "external",
          "summary": "http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt",
          "url": "http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt"
        },
        {
          "category": "external",
          "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
          "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        }
      ],
      "release_date": "2016-05-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2016-10-06T16:18:02+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
          "product_ids": [
            "Red Hat JBoss A-MQ 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:2036"
        },
        {
          "category": "workaround",
          "details": "Users are advised to use other FTP and HTTP based file servers for transferring blob messages. Fileserver web application SHOULD NOT be used in older version of the broker and it should be disabled (it has been disabled by default since 5.12.0). This can be done by removing (commenting out) the following lines from conf\\jetty.xml file\n\n\u003cbean class=\"org.eclipse.jetty.webapp.WebAppContext\"\u003e\n    \u003cproperty name=\"contextPath\" value=\"/fileserver\" /\u003e\n    \u003cproperty name=\"resourceBase\" value=\"${activemq.home}/webapps/fileserver\" /\u003e\n    \u003cproperty name=\"logUrlOnStart\" value=\"true\" /\u003e\n    \u003cproperty name=\"parentLoaderPriority\" value=\"true\" /\u003e\n\u003c/bean\u003e",
          "product_ids": [
            "Red Hat JBoss A-MQ 6.3"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss A-MQ 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "exploit_status",
          "date": "2022-02-10T00:00:00+00:00",
          "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        },
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "activemq: Fileserver web application vulnerability allowing RCE"
    },
    {
      "cve": "CVE-2016-4437",
      "cwe": {
        "id": "CWE-287",
        "name": "Improper Authentication"
      },
      "discovery_date": "2016-06-03T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1343346"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that Apache Shiro uses a default cipher key for its \"remember me\" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "shiro: Security constraint bypass",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss A-MQ 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-4437"
        },
        {
          "category": "external",
          "summary": "RHBZ#1343346",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1343346"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-4437",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-4437"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-4437",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4437"
        },
        {
          "category": "external",
          "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
          "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        }
      ],
      "release_date": "2016-06-03T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2016-10-06T16:18:02+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
          "product_ids": [
            "Red Hat JBoss A-MQ 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:2036"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss A-MQ 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "exploit_status",
          "date": "2021-11-03T00:00:00+00:00",
          "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        },
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "shiro: Security constraint bypass"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.