5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.034 Low
EPSS
Percentile
90.0%
Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.
It was discovered that JBoss Web did not limit the length of chunk sizes
when using chunked transfer encoding. A remote attacker could use this flaw
to perform a denial of service attack against JBoss Web by streaming an
unlimited quantity of data, leading to excessive consumption of server
resources. (CVE-2014-0075)
It was found that JBoss Web did not check for overflowing values when
parsing request content length headers. A remote attacker could use this
flaw to perform an HTTP request smuggling attack on a JBoss Web server
located behind a reverse proxy that processed the content length header
correctly. (CVE-2014-0099)
It was found that the org.apache.catalina.servlets.DefaultServlet
implementation in JBoss Web allowed the definition of XML External Entities
(XXEs) in provided XSLTs. A malicious application could use this to
circumvent intended security restrictions to disclose sensitive
information. (CVE-2014-0096)
It was found that, in certain circumstances, it was possible for a
malicious web application to replace the XML parsers used by JBoss Web to
process XSLTs for the default servlet, JSP documents, tag library
descriptors (TLDs), and tag plug-in configuration files. The injected XML
parser(s) could then bypass the limits imposed on XML external entities
and/or gain access to the XML files processed for other web applications
deployed on the same JBoss Web instance. (CVE-2014-0119)
The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product
Security.
All users of Red Hat JBoss Enterprise Application Platform 6.2.4 on Red Hat
Enterprise Linux 5 and 6 are advised to upgrade to these updated packages.
The JBoss server process must be restarted for the update to take effect.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 5 | noarch | jbossweb | < 7.3.2-4.Final_redhat_3.1.ep6.el5 | jbossweb-7.3.2-4.Final_redhat_3.1.ep6.el5.noarch.rpm |
RedHat | 6 | src | jbossweb | < 7.3.2-4.Final_redhat_3.1.ep6.el6 | jbossweb-7.3.2-4.Final_redhat_3.1.ep6.el6.src.rpm |
RedHat | 6 | noarch | jbossweb | < 7.3.2-4.Final_redhat_3.1.ep6.el6 | jbossweb-7.3.2-4.Final_redhat_3.1.ep6.el6.noarch.rpm |
RedHat | 5 | src | jbossweb | < 7.3.2-4.Final_redhat_3.1.ep6.el5 | jbossweb-7.3.2-4.Final_redhat_3.1.ep6.el5.src.rpm |