Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatRedHatRHSA-2015:0034
HistoryJan 12, 2015 - 5:26 p.m.

(RHSA-2015:0034) Moderate: Red Hat JBoss Data Virtualization 6.0.0 security update

2015-01-1217:26:21
access.redhat.com
14

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.004 Low

EPSS

Percentile

71.3%

JSON

Red Hat JBoss Data Virtualization is a lean data integration solution that
provides easy, real-time, and unified data access across disparate sources
to multiple applications and users. JBoss Data Virtualization makes data
spread across physically distinct systems—such as multiple databases, XML
files, and even Hadoop systems—appear as a set of tables in a local
database.

This roll up patch serves as a cumulative upgrade for Red Hat JBoss Data
Virtualization 6.0.0. It includes various bug fixes, which are listed in
the README file included with the patch files.

The following security issues are also fixed with this release:

It was found that Odata4j permitted XML eXternal Entity (XXE) attacks. If a
REST endpoint was deployed, a remote attacker could submit a request
containing an external XML entity that, when resolved, allowed that
attacker to read files on the application server in the context of the user
running that server. (CVE-2014-0171)

The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp when the native libraries were bundled in a JAR file, and no custom
library path was specified. A local attacker could overwrite these native
libraries with malicious versions during the window between when HawtJNI
writes them and when they are executed. (CVE-2013-2035)

It was found that the security audit functionality logged request
parameters in plain text. This may have caused passwords to be included in
the audit log files when using BASIC or FORM-based authentication. A local
attacker with access to audit log files could possibly use this flaw to
obtain application or server authentication credentials. (CVE-2014-0058)

The CVE-2014-0171 issue was discovered by David Jorm of Red Hat Product
Security; the CVE-2013-2035 issue was discovered by Florian Weimer of Red
Hat Product Security.

All users of Red Hat JBoss Data Virtualization 6.0.0 as provided from the
Red Hat Customer Portal are advised to apply this roll up patch.

Related

prion 3
cvelist 3
github 1
ubuntucve 1
debiancve 1
osv 1
veracode 3
cve 3
mageia 1
openvas 1
redhat 17
nessus 6
seebug 1
prion
prion
Race condition
2013-08-28 23:55:00
Input validation
2014-02-26 15:55:00
Xxe
2015-01-15 15:59:00
cvelist
cvelist
CVE-2013-2035
2013-08-28 17:18:00
CVE-2014-0058
2014-02-26 15:00:00
CVE-2014-0171
2015-01-15 15:00:00
github
github
Improper Control of Generation of Code in HawtJNI
2022-05-17 04:17:07
ubuntucve
ubuntucve
CVE-2013-2035
2013-08-28 00:00:00
debiancve
debiancve
CVE-2013-2035
2013-08-28 23:55:00
osv
osv
Improper Control of Generation of Code in HawtJNI
2022-05-17 04:17:07
veracode
veracode
Code Execution Using A Race Condition
2019-01-15 08:52:34
Information Disclosure
2019-01-15 08:57:19
XML External Entity (XXE)
2019-07-11 03:05:05
cve
cve
CVE-2013-2035
2013-08-28 23:55:00
CVE-2014-0058
2014-02-26 15:55:00
CVE-2014-0171
2015-01-15 15:59:00
mageia
mageia
Updated hawtjni packages fix security vulnerability
2014-11-21 15:44:16
openvas
openvas
Mageia: Security Advisory (MGASA-2014-0461)
2022-01-28 00:00:00
redhat
redhat
(RHSA-2014:0205) Low: Red Hat JBoss Enterprise Application Platform 6.2.1 security update
2014-02-24 17:43:41
(RHSA-2014:0204) Low: Red Hat JBoss Enterprise Application Platform 6.2.1 security update
2014-02-24 00:00:00
(RHSA-2014:1995) Important: Red Hat JBoss Fuse Service Works 6.0.0 security update
2014-12-15 20:30:18
nessus
nessus
RHEL 5 / 6 : JBoss EAP (RHSA-2014:0204)
2014-02-25 00:00:00
RHEL 5 : JBoss EAP (RHSA-2013:1784)
2014-01-10 00:00:00
RHEL 6 : JBoss EAP (RHSA-2013:1786)
2013-12-05 00:00:00
seebug
seebug
JBoss Enterprise Application Platform明文密码本地信息泄漏漏洞
2014-02-27 00:00:00

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.004 Low

EPSS

Percentile

71.3%

JSON
Related for RHSA-2015:0034
prion3cvelist3github1ubuntucve1debiancve1osv1veracode3cve3mageia1openvas1redhat17nessus6seebug1