RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.3.2 (RHSA-2020:3462)


The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3462 advisory. - hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900) - jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10672, CVE-2020-10673) - dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683) - Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests (CVE-2020-10687) - hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693) - wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714) - wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API (CVE-2020-10718) - wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740) - netty: compression/decompression codecs don't enforce limits on buffer allocation sizes (CVE-2020-11612) - wildfly: Some EJB transaction objects may get accumulated causing Denial of Service (CVE-2020-14297) - wildfly: EJB SessionOpenInvocations may not be removed properly after a response is received causing Denial of Service (CVE-2020-14307) - EAP: field-name is not parsed in accordance to RFC7230 (CVE-2020-1710) - Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.