Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatRedHatRHSA-2017:2811
HistorySep 26, 2017 - 6:58 p.m.

(RHSA-2017:2811) Important: eap7-jboss-ec2-eap security update

2017-09-2618:58:39
access.redhat.com
74

0.874 High

EPSS

Percentile

98.7%

JSON

The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).

With this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.0.8.

Refer to the JBoss Enterprise Application Platform 7.0.8 Release Notes, linked to in the References section, for information on the most significant bug fixes and enhancements included in this release.

Security Fix(es):

  • It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)

  • A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)

  • It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user’s private information. (CVE-2015-6644)

  • It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the β€œInResponseTo” field in the response. (CVE-2017-2582)

  • It was found that when the security manager’s reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)

The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).

Related

redhat 26
nessus 42
redhatcve 5
veracode 9
centos 1
githubexploit 1
attackerkb 1
amazon 2
ubuntucve 5
prion 6
nvd 6
debiancve 5
github 5
osv 14
cve 6
cvelist 6
openvas 23
debian 5
fedora 7
ibm 10
f5 2
checkpoint_advisories 2
atlassian 1
ubuntu 1
oraclelinux 1
seebug 1
symantec 2
suse 1
cloudlinux 1
myhack58 2
redhat
redhat
(RHSA-2017:2810) Important: Red Hat JBoss Enterprise Application Platform security update
2017-09-26 16:46:55
(RHSA-2017:2808) Important: Red Hat JBoss Enterprise Application Platform security update
2017-09-26 17:22:47
(RHSA-2017:2809) Important: Red Hat JBoss Enterprise Application Platform security update
2017-09-26 17:22:51
nessus
nessus
RHEL 6 / 7 : eap7-jboss-ec2-eap (RHSA-2017:2811)
2017-09-27 00:00:00
RHEL 7 : JBoss EAP (RHSA-2017:2808)
2017-09-28 00:00:00
RHEL 6 : Red Hat JBoss Enterprise Application Platform (RHSA-2017:2809)
2017-09-28 00:00:00
redhatcve
redhatcve
CVE-2017-5645
2019-10-10 10:12:57
CVE-2019-17571
2020-04-05 23:06:12
CVE-2014-9970
2019-11-02 16:18:21
veracode
veracode
Remote Code Execution (RCE)
2017-04-18 01:36:45
Timing Attack
2017-05-22 02:30:24
Timing Attack
2019-01-15 09:19:20
centos
centos
log4j security update
2017-08-31 18:57:53
githubexploit
githubexploit
Exploit for Deserialization of Untrusted Data in Apache Log4J
2019-12-25 16:46:11
attackerkb
attackerkb
CVE-2019-17571
2019-12-20 00:00:00
amazon
amazon
Important: log4j
2022-01-18 20:15:00
Medium: log4j
2022-01-18 21:37:00
ubuntucve
ubuntucve
CVE-2014-9970
2017-05-21 00:00:00
CVE-2015-6644
2016-01-06 00:00:00
CVE-2017-7536
2018-01-10 00:00:00
prion
prion
Default credentials
2017-05-21 18:29:00
Information disclosure
2016-01-06 19:59:00
Privilege escalation
2018-01-10 15:29:00
nvd
nvd
CVE-2014-9970
2017-05-21 18:29:00
CVE-2015-6644
2016-01-06 19:59:09
CVE-2017-7536
2018-01-10 15:29:00
debiancve
debiancve
CVE-2014-9970
2017-05-21 18:29:00
CVE-2015-6644
2016-01-06 19:59:09
CVE-2017-7536
2018-01-10 15:29:00
github
github
Exposure of Sensitive Information to an Unauthorized Actor in Apache Jasypt
2022-05-14 03:44:52
Privilege Escalation in Hibernate Validator
2020-06-15 19:57:48
Deserialization of Untrusted Data in Log4j
2020-01-06 18:43:38
osv
osv
Exposure of Sensitive Information to an Unauthorized Actor in Apache Jasypt
2022-05-14 03:44:52
bouncycastle - security update
2017-04-10 00:00:00
bouncycastle - security update
2017-04-11 00:00:00
cve
cve
CVE-2014-9970
2017-05-21 18:29:00
CVE-2015-6644
2016-01-06 19:59:09
CVE-2017-7536
2018-01-10 15:29:00
cvelist
cvelist
CVE-2014-9970
2017-05-21 18:00:00
CVE-2015-6644
2016-01-06 19:00:00
CVE-2017-7536
2017-06-27 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-3829-1)
2017-04-10 00:00:00
Fedora Update for bouncycastle FEDORA-2017-4c3ac44551
2017-05-03 00:00:00
Debian: Security Advisory (DLA-893-1)
2018-01-16 00:00:00
debian
debian
[SECURITY] [DLA 893-1] bouncycastle security update
2017-04-10 19:16:42
[SECURITY] [DSA 3829-1] bouncycastle security update
2017-04-11 20:45:09
[SECURITY] [DSA 4686-1] apache-log4j1.2 security update
2020-05-15 22:17:02
fedora
fedora
[SECURITY] Fedora 24 Update: bouncycastle-1.52-9.fc24
2017-05-02 00:24:48
[SECURITY] Fedora 26 Update: log4j-2.7-4.fc26
2017-05-02 15:59:49
[SECURITY] Fedora 24 Update: log4j-2.5-3.fc24
2017-05-04 18:26:42
ibm
ibm
Security Bulletin: Apache-Log4j (Publicly disclosed vulnerability)
2021-12-18 08:39:03
Security Bulletin: Vulnerability in Apache Log4j may affect CΓΊram Social Program Management (CVE-2019-17571)
2021-11-29 13:23:28
Security Bulletin: App Connect for Manufacturing 2.0 is affected by vulnerabilities of log4j 1.2.17 - Log4j Deserialization Remote Code Execution (CVE-2019-17571)
2021-03-24 10:01:58
f5
f5
K61529042 : Log4j vulnerability CVE-2019-17571
2020-04-08 00:00:00
K23173103 : log4j vulnerability CVE-2017-5645
2018-01-31 00:00:00
checkpoint_advisories
checkpoint_advisories
Apache Log4j Remote Code Execution (CVE-2017-5645)
2022-01-02 00:00:00
Apache Log4j Remote Code Execution (CVE-2019-17571)
2020-03-01 00:00:00
atlassian
atlassian
Apache Log4j - Arbitrary Code Execution in confserver/confluence (master)
2020-03-02 03:58:39
ubuntu
ubuntu
Apache Log4j vulnerability
2020-09-15 00:00:00
oraclelinux
oraclelinux
log4j security update
2017-08-09 00:00:00
seebug
seebug
Apache Log4j socket receiver deserialization vulnerability (CVE-2017-5645)
2017-04-18 00:00:00
symantec
symantec
Apache Log4j CVE-2017-5645 Remote Code Execution Vulnerability
2017-04-17 00:00:00
Apache Log4j CVE-2019-17571 Deserialization Remote Code Execution Vulnerability
2019-12-18 00:00:00
suse
suse
Security update for log4j (important)
2020-01-14 00:00:00
cloudlinux
cloudlinux
Fixed CVE-2019-17571 in log4j
2022-06-21 20:23:31
myhack58
myhack58
Apache logging component Log4j deserialization vulnerability affects all 2. x version-bug warning-the black bar safety net
2017-04-18 00:00:00
Apache logging component Log4j deserialization vulnerability affects all 2. x version-bug warning-the black bar safety net
2017-04-19 00:00:00

0.874 High

EPSS

Percentile

98.7%

JSON
Related for RHSA-2017:2811
redhat26nessus42redhatcve5veracode9centos1githubexploit1attackerkb1amazon2ubuntucve5prion6nvd6debiancve5github5osv14cve6cvelist6openvas23debian5fedora7ibm10f52checkpoint_advisories2atlassian1ubuntu1oraclelinux1seebug1symantec2suse1cloudlinux1myhack582