Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatRedHatRHSA-2016:1376
HistoryJun 30, 2016 - 8:59 p.m.

(RHSA-2016:1376) Critical: Red Hat JBoss SOA Platform security update

2016-06-3020:59:23
access.redhat.com
26

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.118 Low

EPSS

Percentile

94.7%

JSON

Red Hat JBoss SOA Platform is the next-generation ESB and business process
automation infrastructure. Red Hat JBoss SOA Platform allows IT to leverage
existing (MoM and EAI), modern (SOA and BPM-Rules), and future (EDA and
CEP) integration methodologies to dramatically improve business process
execution speed and quality.

Security Fix(es):

  • It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks. (CVE-2016-2141)

  • It was found that a prior countermeasure in Apache WSS4J for Bleichenbacher’s attack on XML Encryption (CVE-2011-2487) threw an exception that permitted an attacker to determine the failure of the attempted attack, thereby leaving WSS4J vulnerable to the attack. The original flaw allowed a remote attacker to recover the entire plain text form of a symmetric key. (CVE-2015-0226)

  • It was found that the Java Standard Tag Library (JSTL) allowed the processing of untrusted XML documents to utilize external entity references, which could access resources on the host system and, potentially, allowing arbitrary code execution. (CVE-2015-0254)

  • A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2015-3253)

  • A deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library. (CVE-2016-2510)

The CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat).

Related

ubuntucve 6
prion 7
debiancve 4
cve 7
github 6
osv 9
seebug 2
nessus 35
f5 2
mageia 3
openvas 21
freebsd 3
redhatcve 1
redhat 27
fedora 4
zdi 1
gentoo 2
suse 6
ibm 31
veracode 4
ubuntu 2
debian 4
oraclelinux 1
kaspersky 1
securityvulns 2
symantec 1
zdt 2
myhack58 1
tomcat 1
centos 2
amazon 1
ubuntucve
ubuntucve
CVE-2015-0226
2017-10-30 00:00:00
CVE-2016-2141
2016-06-30 00:00:00
CVE-2016-2510
2016-02-19 00:00:00
prion
prion
Design/Logic Flaw
2017-10-30 14:29:00
Design/Logic Flaw
2020-03-11 16:15:00
Xxe
2016-04-07 20:59:00
debiancve
debiancve
CVE-2015-0226
2017-10-30 14:29:00
CVE-2016-2141
2016-06-30 16:59:00
CVE-2016-2510
2016-04-07 20:59:00
cve
cve
CVE-2015-0226
2017-10-30 14:29:00
CVE-2011-2487
2020-03-11 16:15:00
CVE-2015-0254
2015-03-09 14:59:00
github
github
Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J
2022-05-14 00:55:57
Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J
2022-04-22 00:24:28
Improper Input Validation in BeanShell
2022-05-13 01:14:25
osv
osv
Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J
2022-05-14 00:55:57
Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J
2022-04-22 00:24:28
groovy - security update
2015-07-20 00:00:00
seebug
seebug
Apache Groovy MethodClosure 远程代码执行漏洞(CVE-2015-3253)
2016-03-02 00:00:00
XStream 反序列化漏洞
2016-03-02 00:00:00
nessus
nessus
Fedora 23 : groovy-2.4.4-1.fc23 (2015-15899)
2015-09-24 00:00:00
Fedora 25 : groovy18 (2017-6a0389a6a7)
2017-09-01 00:00:00
GLSA-201610-01 : Groovy: Arbitrary code execution
2016-10-07 00:00:00
f5
f5
K49233165 : Apache Groovy vulnerability CVE-2015-3253
2015-12-11 00:00:00
SOL49233165 - Apache Groovy vulnerability CVE-2015-3253
2015-12-11 00:00:00
mageia
mageia
Updated groovy package fixes security vulnerability
2015-07-31 00:08:51
Updated groovy18 packages fix security vulnerability
2017-09-07 12:07:16
Updated jakarta-taglibs-standard packages fix CVE-2015-0254
2015-04-10 01:44:14
openvas
openvas
Fedora Update for groovy FEDORA-2015-15907
2015-09-25 00:00:00
Fedora Update for groovy18 FEDORA-2017-9899aba20e
2017-09-01 00:00:00
Mageia: Security Advisory (MGASA-2015-0296)
2015-10-15 00:00:00
freebsd
freebsd
groovy -- remote execution of untrusted code
2015-07-09 00:00:00
bsh -- remote code execution vulnerability
2016-02-18 00:00:00
groovy -- remote execution of untrusted code/DoS vulnerability
2016-09-20 00:00:00
redhatcve
redhatcve
CVE-2016-2141
2016-06-23 20:48:29
redhat
redhat
(RHSA-2016:1389) Critical: Red Hat JBoss Fuse Service Works security update
2016-07-07 17:44:58
(RHSA-2016:1330) Critical: Red Hat JBoss Enterprise Application Platform 6.4 security update
2016-06-23 20:40:58
(RHSA-2016:1334) Critical: Red Hat JBoss Data Grid 6.6 security update
2016-06-23 20:41:59
fedora
fedora
[SECURITY] Fedora 22 Update: groovy-2.4.0-2.fc22
2015-09-24 08:33:07
[SECURITY] Fedora 25 Update: groovy18-1.8.9-30.fc25
2017-09-01 03:24:20
[SECURITY] Fedora 26 Update: groovy18-1.8.9-30.fc26
2017-08-31 22:55:17
zdi
zdi
Apache Groovy Deserialization of Untrusted Data Remote Code Execution Vulnerability
2015-07-20 00:00:00
gentoo
gentoo
Groovy: Arbitrary code execution
2016-10-06 00:00:00
BeanShell: Arbitrary code execution
2016-07-30 00:00:00
suse
suse
Security update for bsh2 (important)
2016-03-19 16:12:13
Security update for jakarta-taglibs-standard (important)
2017-06-27 00:11:17
Security update for bsh2 (important)
2016-03-16 19:12:08
ibm
ibm
Security Bulletin: A vulnerability in Open Source BeanShell has been addressed by IBM Kenexa LCMS Premier (CVE-2016-2510)
2018-06-17 22:22:02
Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (CVE-2015-0254)
2018-06-15 07:05:52
Security Bulletin: Vulnerability in Apache Standard Taglibs affects IBM WebSphere Application Server (CVE-2015-0254)
2018-06-15 07:05:16
veracode
veracode
Authorization Bypass
2019-01-15 09:11:57
Remote Code Execution Through Object Deserialization
2019-01-15 09:18:57
XML External Entity (XXE) Through An XSLT Extension
2019-01-15 09:09:55
ubuntu
ubuntu
BeanShell vulnerability
2016-03-08 00:00:00
Apache Standard Taglibs vulnerability
2015-03-30 00:00:00
debian
debian
[SECURITY] [DSA 3504-1] bsh security update
2016-03-04 15:55:42
[SECURITY] [DLA 443-1] bsh security update
2016-02-29 14:56:19
[SECURITY] [DSA 3504-1] bsh security update
2016-03-04 15:55:42
oraclelinux
oraclelinux
jakarta-taglibs-standard security update
2015-08-31 00:00:00
kaspersky
kaspersky
KLA10483 Code execution vulnerability in Apache Standard Taglib
2015-03-24 00:00:00
securityvulns
securityvulns
Apache taglibs security vulnerabilities
2015-03-08 00:00:00
[SECURITY] CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags
2015-03-08 00:00:00
symantec
symantec
SA110 : Java Deserialization Vulnerabilities
2016-01-29 08:00:00
zdt
zdt
Apache Groovy 2.4.x Disclosure Vulnerabilities
2015-07-18 00:00:00
Apache Groovy Deserialization of Untrusted Data Remote Code Execution Exploit 0day
2015-07-24 00:00:00
myhack58
myhack58
Xstream Deserializable Vulnerablity And Groovy(CVE-2 0 1 5-3 2 5 3-a vulnerability warning-the black bar safety net
2016-03-02 00:00:00
tomcat
tomcat
Fixed in Apache Standard Taglib 1.2.3
2015-02-20 00:00:00
centos
centos
jakarta security update
2015-09-01 15:35:28
groovy security update
2017-08-31 18:58:56
amazon
amazon
Important: jakarta-taglibs-standard
2015-09-22 10:00:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.118 Low

EPSS

Percentile

94.7%

JSON
Related for RHSA-2016:1376
ubuntucve6prion7debiancve4cve7github6osv9seebug2nessus35f52mageia3openvas21freebsd3redhatcve1redhat27fedora4zdi1gentoo2suse6ibm31veracode4ubuntu2debian4oraclelinux1kaspersky1securityvulns2symantec1zdt2myhack581tomcat1centos2amazon1