RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.2.9 on RHEL 7 (RHSA-2020:3638)


The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3638 advisory. - hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900) - jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10672, CVE-2020-10673) - dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683) - Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests (CVE-2020-10687) - hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693) - wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714) - wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API (CVE-2020-10718) - wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740) - wildfly: Some EJB transaction objects may get accumulated causing Denial of Service (CVE-2020-14297) - wildfly: EJB SessionOpenInvocations may not be removed properly after a response is received causing Denial of Service (CVE-2020-14307) - resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class (CVE-2020-1695) - EAP: field-name is not parsed in accordance to RFC7230 (CVE-2020-1710) - Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748) - Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950) - jackson-databind: Lacks certain xbean-reflect/JNDI blocking (CVE-2020-8840) - jackson-databind: Serialization gadgets in shaded-hikari-config (CVE-2020-9546) - jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547) - jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.