rhsa-2017_0829
Vulnerability from csaf_redhat
Published
2017-03-22 17:11
Modified
2024-11-05 19:57
Summary
Red Hat Security Advisory: jboss-ec2-eap security, bug fix, and enhancement update

Notes

Topic
An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.14. Security Fix(es): * It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration files. The file is writable to jboss group (root:jboss, 664). On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the jboss init script and its content executed with root privileges when jboss service is started, stopped, or restarted. (CVE-2016-8657) * It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. (CVE-2017-6056) * It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack. (CVE-2016-6346) Red Hat would like to thank Mikhail Egorov (Odin) for reporting the CVE-2016-6346 issue.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).\n\nWith this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.14.\n\nSecurity Fix(es):\n\n* It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration files. The file is writable to jboss group (root:jboss, 664). On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the jboss init script and its content executed with root privileges when jboss service is started, stopped, or restarted. (CVE-2016-8657)\n\n* It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. (CVE-2017-6056)\n\n* It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack. (CVE-2016-6346)\n\nRed Hat would like to thank Mikhail Egorov (Odin) for reporting the\nCVE-2016-6346 issue.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2017:0829",
        "url": "https://access.redhat.com/errata/RHSA-2017:0829"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/?version=6.4",
        "url": "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/?version=6.4"
      },
      {
        "category": "external",
        "summary": "1372120",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1372120"
      },
      {
        "category": "external",
        "summary": "1400343",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1400343"
      },
      {
        "category": "external",
        "summary": "1422148",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1422148"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_0829.json"
      }
    ],
    "title": "Red Hat Security Advisory: jboss-ec2-eap security, bug fix, and enhancement update",
    "tracking": {
      "current_release_date": "2024-11-05T19:57:59+00:00",
      "generator": {
        "date": "2024-11-05T19:57:59+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.1.1"
        }
      },
      "id": "RHSA-2017:0829",
      "initial_release_date": "2017-03-22T17:11:17+00:00",
      "revision_history": [
        {
          "date": "2017-03-22T17:11:17+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2017-03-22T17:11:17+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-05T19:57:59+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server",
                "product": {
                  "name": "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server",
                  "product_id": "6Server-JBEAP-6.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Enterprise Application Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.src",
                "product": {
                  "name": "jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.src",
                  "product_id": "jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jboss-ec2-eap@7.5.14-2.Final_redhat_2.ep6.el6?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch",
                "product": {
                  "name": "jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch",
                  "product_id": "jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jboss-ec2-eap@7.5.14-2.Final_redhat_2.ep6.el6?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jboss-ec2-eap-samples-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch",
                "product": {
                  "name": "jboss-ec2-eap-samples-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch",
                  "product_id": "jboss-ec2-eap-samples-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jboss-ec2-eap-samples@7.5.14-2.Final_redhat_2.ep6.el6?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server",
          "product_id": "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch"
        },
        "product_reference": "jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch",
        "relates_to_product_reference": "6Server-JBEAP-6.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server",
          "product_id": "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.src"
        },
        "product_reference": "jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.src",
        "relates_to_product_reference": "6Server-JBEAP-6.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-ec2-eap-samples-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server",
          "product_id": "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch"
        },
        "product_reference": "jboss-ec2-eap-samples-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch",
        "relates_to_product_reference": "6Server-JBEAP-6.4"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Mikhail Egorov"
          ],
          "organization": "Odin"
        }
      ],
      "cve": "CVE-2016-6346",
      "discovery_date": "2016-08-29T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1372120"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue was fixed in EAP 7.1.0, but was not fixed in 7.0.7\nOn Red Hat Satellite 6.5 this issue is fixed through the candlepin package update (candlepin 2.5.8), which contains a non-vulnerable version of RESTEasy.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch",
          "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.src",
          "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-6346"
        },
        {
          "category": "external",
          "summary": "RHBZ#1372120",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1372120"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-6346",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-6346"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-6346",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6346"
        }
      ],
      "release_date": "2016-09-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-03-22T17:11:17+00:00",
          "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch",
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.src",
            "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:0829"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch",
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.src",
            "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack"
    },
    {
      "cve": "CVE-2016-8657",
      "cwe": {
        "id": "CWE-732",
        "name": "Incorrect Permission Assignment for Critical Resource"
      },
      "discovery_date": "2016-08-09T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1400343"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration files. The file is writable to jboss group (root:jboss, 664). On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the jboss init script and its content executed with root privileges when jboss service is started, stopped, or restarted.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jboss: jbossas writable config files allow privilege escalation",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "It was found that a variant of the Tomcat CVE-2016-6325 exploit is also applicable to Red Hat JBoss Enterprise Application Platform 5 and 6. CVE-2016-8567 addresses these problems with JBoss EAP. The complexity is high as EAP has many files and configuration options. The issue is now corrected in JBoss Enterprise Application Platform EAP 6.4.14. For further information please refer https://access.redhat.com/articles/3016681",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch",
          "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.src",
          "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-8657"
        },
        {
          "category": "external",
          "summary": "RHBZ#1400343",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1400343"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-8657",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-8657"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-8657",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8657"
        }
      ],
      "release_date": "2016-10-10T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-03-22T17:11:17+00:00",
          "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch",
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.src",
            "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:0829"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 6.9,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch",
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.src",
            "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jboss: jbossas writable config files allow privilege escalation"
    },
    {
      "cve": "CVE-2017-6056",
      "cwe": {
        "id": "CWE-835",
        "name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
      },
      "discovery_date": "2017-02-14T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1422148"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "tomcat: Infinite loop in the processing of https requests",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue was made easier to exploit, causing a denial of service when the patch for CVE-2016-6816 was present and the patch that corrected this flaw was not.\u00a0\u00a0The issue was not classified as a security flaw upstream.  It was corrected in products like Red Hat Enterprise Linux 6 and 7 and JBoss Enterprise Web Server 3 prior to the fix for CVE-2016-6816 being applied.  This was not the case for JBoss Enterprise Application Server 6.\u00a0\u00a0As a result, only EAP 6.4.13 is vulnerable to this issue and 6.4.14 corrects it.\u00a0\u00a0For further information, refer to https://access.redhat.com/articles/2991951",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch",
          "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.src",
          "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2017-6056"
        },
        {
          "category": "external",
          "summary": "RHBZ#1422148",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1422148"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2017-6056",
          "url": "https://www.cve.org/CVERecord?id=CVE-2017-6056"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-6056",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6056"
        },
        {
          "category": "external",
          "summary": "http://tomcat.apache.org/security-7.html",
          "url": "http://tomcat.apache.org/security-7.html"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/articles/2991951",
          "url": "https://access.redhat.com/articles/2991951"
        }
      ],
      "release_date": "2015-02-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-03-22T17:11:17+00:00",
          "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch",
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.src",
            "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:0829"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch",
            "6Server-JBEAP-6.4:jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6.src",
            "6Server-JBEAP-6.4:jboss-ec2-eap-samples-0:7.5.14-2.Final_redhat_2.ep6.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "tomcat: Infinite loop in the processing of https requests"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.