csaf_redhat - rhsa-2016

rhsa-2016_2072

Vulnerability from csaf_redhat

Published

2016-10-17 19:15

Modified

2024-09-13 11:33

Summary

Red Hat Security Advisory: jboss-ec2-eap security and enhancement update for EAP 6.4.11

Notes

Topic

An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java EE applications. It is based on JBoss Application Server 7 and incorporates multiple open-source projects to provide a complete Java EE platform solution. Security Fix(es): * A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092) Enhancement(s): * The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the packages have been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.11. Users of EAP 6.4.10 jboss-ec2-eap are advised to upgrade to these updated packages, which add this enhancement.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java EE applications. It is based on JBoss Application Server 7 and incorporates multiple open-source projects to provide a complete Java EE platform solution.\n\nSecurity Fix(es):\n\n* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)\n\nEnhancement(s):\n\n* The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the packages have been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.11.\n\nUsers of EAP 6.4.10 jboss-ec2-eap are advised to upgrade to these updated packages, which add this enhancement.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2016:2072",
        "url": "https://access.redhat.com/errata/RHSA-2016:2072"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html",
        "url": "https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html"
      },
      {
        "category": "external",
        "summary": "1349468",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1349468"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2016/rhsa-2016_2072.json"
      }
    ],
    "title": "Red Hat Security Advisory: jboss-ec2-eap security and enhancement update for EAP 6.4.11",
    "tracking": {
      "current_release_date": "2024-09-13T11:33:34+00:00",
      "generator": {
        "date": "2024-09-13T11:33:34+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2016:2072",
      "initial_release_date": "2016-10-17T19:15:20+00:00",
      "revision_history": [
        {
          "date": "2016-10-17T19:15:20+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2016-10-17T19:15:20+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-13T11:33:34+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server",
                "product": {
                  "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server",
                  "product_id": "6Server-JBEAP-6.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Enterprise Application Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jboss-ec2-eap-samples-0:7.5.11-1.Final_redhat_1.ep6.el6.noarch",
                "product": {
                  "name": "jboss-ec2-eap-samples-0:7.5.11-1.Final_redhat_1.ep6.el6.noarch",
                  "product_id": "jboss-ec2-eap-samples-0:7.5.11-1.Final_redhat_1.ep6.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jboss-ec2-eap-samples@7.5.11-1.Final_redhat_1.ep6.el6?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jboss-ec2-eap-0:7.5.11-1.Final_redhat_1.ep6.el6.noarch",
                "product": {
                  "name": "jboss-ec2-eap-0:7.5.11-1.Final_redhat_1.ep6.el6.noarch",
                  "product_id": "jboss-ec2-eap-0:7.5.11-1.Final_redhat_1.ep6.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jboss-ec2-eap@7.5.11-1.Final_redhat_1.ep6.el6?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jboss-ec2-eap-0:7.5.11-1.Final_redhat_1.ep6.el6.src",
                "product": {
                  "name": "jboss-ec2-eap-0:7.5.11-1.Final_redhat_1.ep6.el6.src",
                  "product_id": "jboss-ec2-eap-0:7.5.11-1.Final_redhat_1.ep6.el6.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jboss-ec2-eap@7.5.11-1.Final_redhat_1.ep6.el6?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-ec2-eap-0:7.5.11-1.Final_redhat_1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server",
          "product_id": "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.11-1.Final_redhat_1.ep6.el6.noarch"
        },
        "product_reference": "jboss-ec2-eap-0:7.5.11-1.Final_redhat_1.ep6.el6.noarch",
        "relates_to_product_reference": "6Server-JBEAP-6.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-ec2-eap-0:7.5.11-1.Final_redhat_1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server",
          "product_id": "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.11-1.Final_redhat_1.ep6.el6.src"
        },
        "product_reference": "jboss-ec2-eap-0:7.5.11-1.Final_redhat_1.ep6.el6.src",
        "relates_to_product_reference": "6Server-JBEAP-6.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-ec2-eap-samples-0:7.5.11-1.Final_redhat_1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server",
          "product_id": "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.11-1.Final_redhat_1.ep6.el6.noarch"
        },
        "product_reference": "jboss-ec2-eap-samples-0:7.5.11-1.Final_redhat_1.ep6.el6.noarch",
        "relates_to_product_reference": "6Server-JBEAP-6.4"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2016-3092",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2016-06-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1349468"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "tomcat: Usage of vulnerable FileUpload package can result in denial of service",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.11-1.Final_redhat_1.ep6.el6.noarch",
          "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.11-1.Final_redhat_1.ep6.el6.src",
          "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.11-1.Final_redhat_1.ep6.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-3092"
        },
        {
          "category": "external",
          "summary": "RHBZ#1349468",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1349468"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-3092",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-3092"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-3092",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3092"
        },
        {
          "category": "external",
          "summary": "http://tomcat.apache.org/security-7.html",
          "url": "http://tomcat.apache.org/security-7.html"
        },
        {
          "category": "external",
          "summary": "http://tomcat.apache.org/security-8.html",
          "url": "http://tomcat.apache.org/security-8.html"
        }
      ],
      "release_date": "2016-06-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.11-1.Final_redhat_1.ep6.el6.noarch",
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.11-1.Final_redhat_1.ep6.el6.src",
            "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.11-1.Final_redhat_1.ep6.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:2072"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.11-1.Final_redhat_1.ep6.el6.noarch",
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.11-1.Final_redhat_1.ep6.el6.src",
            "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.11-1.Final_redhat_1.ep6.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "tomcat: Usage of vulnerable FileUpload package can result in denial of service"
    }
  ]
}

cve-2016-3092

Vulnerability from cvelistv5

Published

2016-07-04 22:00

Modified

2024-08-05 23:40

Severity

Summary

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

References

URL	Tags
http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121	third-party-advisory, x_refsource_JVNDB
https://security.netapp.com/advisory/ntap-20190212-0001/	x_refsource_CONFIRM
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759	x_refsource_CONFIRM
http://svn.apache.org/viewvc?view=revision&revision=1743480	x_refsource_CONFIRM
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	x_refsource_CONFIRM
https://security.gentoo.org/glsa/201705-09	vendor-advisory, x_refsource_GENTOO
http://svn.apache.org/viewvc?view=revision&revision=1743738	x_refsource_CONFIRM
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840	x_refsource_CONFIRM
http://tomcat.apache.org/security-9.html	x_refsource_CONFIRM
http://www.ubuntu.com/usn/USN-3024-1	vendor-advisory, x_refsource_UBUNTU
http://rhn.redhat.com/errata/RHSA-2016-2069.html	vendor-advisory, x_refsource_REDHAT
http://www.securitytracker.com/id/1037029	vdb-entry, x_refsource_SECTRACK
http://rhn.redhat.com/errata/RHSA-2016-2068.html	vendor-advisory, x_refsource_REDHAT
http://tomcat.apache.org/security-7.html	x_refsource_CONFIRM
http://www.securitytracker.com/id/1036900	vdb-entry, x_refsource_SECTRACK
http://www.securityfocus.com/bid/91453	vdb-entry, x_refsource_BID
http://tomcat.apache.org/security-8.html	x_refsource_CONFIRM
http://rhn.redhat.com/errata/RHSA-2016-2072.html	vendor-advisory, x_refsource_REDHAT
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html	x_refsource_CONFIRM
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html	x_refsource_CONFIRM
http://svn.apache.org/viewvc?view=revision&revision=1743722	x_refsource_CONFIRM
http://www.debian.org/security/2016/dsa-3611	vendor-advisory, x_refsource_DEBIAN
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371	x_refsource_CONFIRM
http://rhn.redhat.com/errata/RHSA-2016-2807.html	vendor-advisory, x_refsource_REDHAT
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html	x_refsource_CONFIRM
http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html	vendor-advisory, x_refsource_SUSE
http://jvn.jp/en/jp/JVN89379547/index.html	third-party-advisory, x_refsource_JVN
http://www.securitytracker.com/id/1036427	vdb-entry, x_refsource_SECTRACK
http://rhn.redhat.com/errata/RHSA-2016-2070.html	vendor-advisory, x_refsource_REDHAT
http://rhn.redhat.com/errata/RHSA-2017-0457.html	vendor-advisory, x_refsource_REDHAT
http://rhn.redhat.com/errata/RHSA-2016-2808.html	vendor-advisory, x_refsource_REDHAT
http://www.securitytracker.com/id/1039606	vdb-entry, x_refsource_SECTRACK
http://svn.apache.org/viewvc?view=revision&revision=1743742	x_refsource_CONFIRM
http://rhn.redhat.com/errata/RHSA-2016-2599.html	vendor-advisory, x_refsource_REDHAT
http://www.debian.org/security/2016/dsa-3609	vendor-advisory, x_refsource_DEBIAN
https://access.redhat.com/errata/RHSA-2017:0455	vendor-advisory, x_refsource_REDHAT
http://www.debian.org/security/2016/dsa-3614	vendor-advisory, x_refsource_DEBIAN
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html	x_refsource_CONFIRM
http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E	mailing-list, x_refsource_MLIST
https://access.redhat.com/errata/RHSA-2017:0456	vendor-advisory, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=1349468	x_refsource_CONFIRM
http://rhn.redhat.com/errata/RHSA-2016-2071.html	vendor-advisory, x_refsource_REDHAT
http://www.ubuntu.com/usn/USN-3027-1	vendor-advisory, x_refsource_UBUNTU
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	x_refsource_MISC
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
https://www.oracle.com/security-alerts/cpuapr2020.html	x_refsource_MISC
https://security.gentoo.org/glsa/202107-39	vendor-advisory, x_refsource_GENTOO

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website