(RHSA-2021:3140) Moderate: Red Hat Fuse 7.9.0 release and security update

2021-08-11T18:18:10

Description

This release of Red Hat Fuse 7.9.0 serves as a replacement for Red Hat Fuse 7.8, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * hawtio-osgi (CVE-2017-5645) * prometheus-jmx-exporter: snakeyaml (CVE-2017-18640) * apache-commons-compress (CVE-2019-12402) * karaf-transaction-manager-narayana: netty (CVE-2019-16869, CVE-2019-20445) * tomcat (CVE-2020-1935, CVE-2020-1938, CVE-2020-9484, CVE-2020-13934, CVE-2020-13935, CVE-2020-11996) * spring-cloud-config-server (CVE-2020-5410) * velocity (CVE-2020-13936) * httpclient: apache-httpclient (CVE-2020-13956) * shiro-core: shiro (CVE-2020-17510) * hibernate-core (CVE-2020-25638) * wildfly-openssl (CVE-2020-25644) * jetty (CVE-2020-27216, CVE-2021-28165) * bouncycastle (CVE-2020-28052) * wildfly (CVE-2019-14887, CVE-2020-25640) * resteasy-jaxrs: resteasy (CVE-2020-1695) * camel-olingo4 (CVE-2020-1925) * springframework (CVE-2020-5421) * jsf-impl: Mojarra (CVE-2020-6950) * resteasy (CVE-2020-10688) * hibernate-validator (CVE-2020-10693) * wildfly-elytron (CVE-2020-10714) * undertow (CVE-2020-10719) * activemq (CVE-2020-13920) * cxf-core: cxf (CVE-2020-13954) * fuse-apicurito-operator-container: golang.org/x/text (CVE-2020-14040) * jboss-ejb-client: wildfly (CVE-2020-14297) * xercesimpl: wildfly (CVE-2020-14338) * xnio (CVE-2020-14340) * flink: apache-flink (CVE-2020-17518) * resteasy-client (CVE-2020-25633) * xstream (CVE-2020-26258) * mybatis (CVE-2020-26945) * pdfbox (CVE-2021-27807, CVE-2021-27906) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

{"id": "RHSA-2021:3140", "vendorId": null, "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2021:3140) Moderate: Red Hat Fuse 7.9.0 release and security update", "description": "This release of Red Hat Fuse 7.9.0 serves as a replacement for Red Hat Fuse 7.8, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* hawtio-osgi (CVE-2017-5645)\n\n* prometheus-jmx-exporter: snakeyaml (CVE-2017-18640)\n\n* apache-commons-compress (CVE-2019-12402)\n\n* karaf-transaction-manager-narayana: netty (CVE-2019-16869, CVE-2019-20445)\n\n* tomcat (CVE-2020-1935, CVE-2020-1938, CVE-2020-9484, CVE-2020-13934, CVE-2020-13935, CVE-2020-11996)\n\n* spring-cloud-config-server (CVE-2020-5410)\n\n* velocity (CVE-2020-13936)\n\n* httpclient: apache-httpclient (CVE-2020-13956)\n\n* shiro-core: shiro (CVE-2020-17510)\n\n* hibernate-core (CVE-2020-25638)\n\n* wildfly-openssl (CVE-2020-25644)\n\n* jetty (CVE-2020-27216, CVE-2021-28165)\n\n* bouncycastle (CVE-2020-28052)\n\n* wildfly (CVE-2019-14887, CVE-2020-25640)\n\n* resteasy-jaxrs: resteasy (CVE-2020-1695)\n\n* camel-olingo4 (CVE-2020-1925)\n\n* springframework (CVE-2020-5421)\n\n* jsf-impl: Mojarra (CVE-2020-6950)\n\n* resteasy (CVE-2020-10688)\n\n* hibernate-validator (CVE-2020-10693)\n\n* wildfly-elytron (CVE-2020-10714)\n\n* undertow (CVE-2020-10719)\n\n* activemq (CVE-2020-13920)\n\n* cxf-core: cxf (CVE-2020-13954)\n\n* fuse-apicurito-operator-container: golang.org/x/text (CVE-2020-14040)\n\n* jboss-ejb-client: wildfly (CVE-2020-14297)\n\n* xercesimpl: wildfly (CVE-2020-14338)\n\n* xnio (CVE-2020-14340)\n\n* flink: apache-flink (CVE-2020-17518)\n\n* resteasy-client (CVE-2020-25633)\n\n* xstream (CVE-2020-26258)\n\n* mybatis (CVE-2020-26945)\n\n* pdfbox (CVE-2021-27807, CVE-2021-27906)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "published": "2021-08-11T18:18:10", "modified": "2021-11-11T09:25:09", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.0}, "severity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://access.redhat.com/errata/RHSA-2021:3140", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2017-18640", "CVE-2017-5645", "CVE-2019-12402", "CVE-2019-14887", "CVE-2019-16869", "CVE-2019-20445", "CVE-2020-10688", "CVE-2020-10693", "CVE-2020-10714", "CVE-2020-10719", "CVE-2020-11996", "CVE-2020-13920", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-13936", "CVE-2020-13954", "CVE-2020-13956", "CVE-2020-14040", "CVE-2020-14297", "CVE-2020-14338", "CVE-2020-14340", "CVE-2020-1695", "CVE-2020-17510", "CVE-2020-17518", "CVE-2020-1925", "CVE-2020-1935", "CVE-2020-1938", "CVE-2020-25633", "CVE-2020-25638", "CVE-2020-25640", "CVE-2020-25644", "CVE-2020-26258", "CVE-2020-26945", "CVE-2020-27216", "CVE-2020-28052", "CVE-2020-5410", "CVE-2020-5421", "CVE-2020-6950", "CVE-2020-9484", "CVE-2021-27568", "CVE-2021-27807", "CVE-2021-27906", "CVE-2021-28165"], "immutableFields": [], "lastseen": "2022-03-31T19:30:00", "viewCount": 46, "enchantments": {"dependencies": {"references": [{"type": "almalinux", "idList": ["ALSA-2020:4694", "ALSA-2020:4807", "ALSA-2021:1775", "ALSA-2022:1860", "ALSA-2022:1861"]}, {"type": "amazon", "idList": ["ALAS-2020-1352", "ALAS-2020-1353", "ALAS-2020-1389", "ALAS-2020-1390", "ALAS-2020-1409", "ALAS-2020-1436", "ALAS-2020-1472", "ALAS-2021-1472", "ALAS-2021-1491", "ALAS-2021-1493", "ALAS-2022-1562", "ALAS-2022-1572", "ALAS2-2020-1402", "ALAS2-2020-1449", "ALAS2-2020-1494", "ALAS2-2021-1690"]}, {"type": "archlinux", "idList": ["ASA-202006-16", "ASA-202006-5", "ASA-202006-6", "ASA-202006-7"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-60004", "ATLASSIAN:FE-7344", "ATLASSIAN:JRASERVER-70487", "ATLASSIAN:JRASERVER-70993", "ATLASSIAN:JRASERVER-71221", "ATLASSIAN:JRASERVER-71321", "BAM-21603", "CONFSERVER-60004", "FE-7344", "JRASERVER-70487", "JRASERVER-70993", "JRASERVER-71221", "JRASERVER-71321", "JRASERVER-73223", "JRASERVER-73739"]}, {"type": "attackerkb", "idList": ["AKB:38F76C83-56D0-4112-A583-4513CC15B1B3", "AKB:770521DD-D057-4195-A187-66787A667266", "AKB:8AA21692-1900-4944-98AB-BEC257302198", "AKB:DBBC8872-3C07-492F-B3D2-399BF504AED0", "AKB:FB2F65B2-D10B-4622-AEE6-41AAD3C1E6E7"]}, {"type": "broadcom", "idList": ["BSA-2022-1839"]}, {"type": "centos", "idList": ["CESA-2017:2423", "CESA-2020:0855", "CESA-2020:0912", "CESA-2020:2530", "CESA-2020:4004", "CESA-2020:5020"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-1216", "CPAI-2017-1224", "CPAI-2020-0086", "CPAI-2020-1284", "CPAI-2020-3204", "CPAI-2020-3387"]}, {"type": "cisa", "idList": ["CISA:7E752ED3C4545FF8F72629B02D303E84", "CISA:918BA24AFBD99F0ED28F66A3212E3BA6"]}, {"type": "cve", "idList": ["CVE-2017-18640", "CVE-2017-5645", "CVE-2019-12402", "CVE-2019-14887", "CVE-2019-16869", "CVE-2019-20445", "CVE-2020-10569", "CVE-2020-10688", "CVE-2020-10693", "CVE-2020-10714", "CVE-2020-10719", "CVE-2020-11996", "CVE-2020-13920", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-13936", "CVE-2020-13954", "CVE-2020-13956", "CVE-2020-14040", "CVE-2020-14297", "CVE-2020-14338", "CVE-2020-14340", "CVE-2020-14384", "CVE-2020-1695", "CVE-2020-17510", "CVE-2020-17518", "CVE-2020-1925", "CVE-2020-1935", "CVE-2020-1938", "CVE-2020-25633", "CVE-2020-25638", "CVE-2020-25640", "CVE-2020-25644", "CVE-2020-26258", "CVE-2020-26945", "CVE-2020-27216", "CVE-2020-28052", "CVE-2020-5410", "CVE-2020-5421", "CVE-2020-6950", "CVE-2020-7238", "CVE-2020-9484", "CVE-2021-25329", "CVE-2021-27568", "CVE-2021-27807", "CVE-2021-27906", "CVE-2021-28165", "CVE-2022-23181"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1941-1:B0F41", "DEBIAN:DLA-1941-1:FEB61", "DEBIAN:DLA-2109-1:DE8EC", "DEBIAN:DLA-2110-1:96368", "DEBIAN:DLA-2133-1:4E05E", "DEBIAN:DLA-2133-1:EFD3F", "DEBIAN:DLA-2209-1:84C77", "DEBIAN:DLA-2209-1:D154F", "DEBIAN:DLA-2217-1:0ED90", "DEBIAN:DLA-2279-1:771F3", "DEBIAN:DLA-2279-1:AB3FB", "DEBIAN:DLA-2286-1:A2783", "DEBIAN:DLA-2286-1:F04B8", "DEBIAN:DLA-2364-1:39666", "DEBIAN:DLA-2365-1:41B26", "DEBIAN:DLA-2400-1:6CC41", "DEBIAN:DLA-2400-1:C0457", "DEBIAN:DLA-2405-1:2470B", "DEBIAN:DLA-2405-1:33C7A", "DEBIAN:DLA-2507-1:18489", "DEBIAN:DLA-2512-1:EDD15", "DEBIAN:DLA-2595-1:23005", "DEBIAN:DLA-2595-1:62C40", "DEBIAN:DLA-2596-1:25D69", "DEBIAN:DLA-2661-1:5DE5A", "DEBIAN:DLA-2726-1:D3013", "DEBIAN:DSA-4597-1:11183", "DEBIAN:DSA-4597-1:8729B", "DEBIAN:DSA-4627-1:1B266", "DEBIAN:DSA-4673-1:A3780", "DEBIAN:DSA-4680-1:FCF2B", "DEBIAN:DSA-4772-1:DCCA8", "DEBIAN:DSA-4828-1:46220", "DEBIAN:DSA-4885-1:31BC0", "DEBIAN:DSA-4908-1:0437F", "DEBIAN:DSA-4908-1:07D7B", "DEBIAN:DSA-4949-1:1212B"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-18640", "DEBIANCVE:CVE-2017-5645", "DEBIANCVE:CVE-2019-12402", "DEBIANCVE:CVE-2019-16869", "DEBIANCVE:CVE-2019-20445", "DEBIANCVE:CVE-2020-10688", "DEBIANCVE:CVE-2020-10693", "DEBIANCVE:CVE-2020-10719", "DEBIANCVE:CVE-2020-11996", "DEBIANCVE:CVE-2020-13920", "DEBIANCVE:CVE-2020-13934", "DEBIANCVE:CVE-2020-13935", "DEBIANCVE:CVE-2020-13936", "DEBIANCVE:CVE-2020-13956", "DEBIANCVE:CVE-2020-14040", "DEBIANCVE:CVE-2020-14340", "DEBIANCVE:CVE-2020-1695", "DEBIANCVE:CVE-2020-17510", "DEBIANCVE:CVE-2020-1935", "DEBIANCVE:CVE-2020-1938", "DEBIANCVE:CVE-2020-25633", "DEBIANCVE:CVE-2020-25638", "DEBIANCVE:CVE-2020-26258", "DEBIANCVE:CVE-2020-27216", "DEBIANCVE:CVE-2020-28052", "DEBIANCVE:CVE-2020-5421", "DEBIANCVE:CVE-2020-6950", "DEBIANCVE:CVE-2020-7238", "DEBIANCVE:CVE-2020-9484", "DEBIANCVE:CVE-2021-25329", "DEBIANCVE:CVE-2021-27807", "DEBIANCVE:CVE-2021-27906", "DEBIANCVE:CVE-2021-28165", "DEBIANCVE:CVE-2022-23181"]}, {"type": "f5", "idList": ["F5:K03121171", "F5:K15338344", "F5:K18484125", "F5:K19240391", "F5:K23173103", "F5:K28409053", "F5:K38573130", "F5:K43709560", "F5:K45026834", "F5:K53254186", "F5:K73648110", "F5:K75555129"]}, {"type": "fedora", "idList": ["FEDORA:05AFB3091421", "FEDORA:0AC1C60C76B5", "FEDORA:0CF5A3094AC8", "FEDORA:16B2E6344278", "FEDORA:1A24B60460E9", "FEDORA:26A3B606353E", "FEDORA:2C8BA30B7889", "FEDORA:341EA6057129", "FEDORA:376506075014", "FEDORA:433C2304C446", "FEDORA:44F56325DDAB", "FEDORA:455E83148598", "FEDORA:4788E309FF20", "FEDORA:69B8A30B8B4D", "FEDORA:7691730C6A23", "FEDORA:76CFD605E21F", "FEDORA:7CFF660874FE", "FEDORA:7D962606E7C6", "FEDORA:938863096E48", "FEDORA:A3BC1607783F", "FEDORA:A99066078F69", "FEDORA:AC9AB30BBFBA", "FEDORA:BDC9D3090DB1", "FEDORA:D343F309D6A7", "FEDORA:DD9CB616EC02", "FEDORA:EFDAB6050C3B", "FEDORA:F12FB31404B0", "FEDORA:F149334E497A"]}, {"type": "freebsd", "idList": ["20006B5F-A0BC-11EB-8AE6-FC4DD43E2B6A", "676CA486-9C1E-11EA-8B5E-B42E99A1B9C3", "6A72EFF7-CCD6-11EA-9172-4C72B94353B5", "70E71A24-0151-11EC-BF0C-080027EEDC6A", "730E922F-20E7-11EC-A574-080027EEDC6A", "B07BDD3C-0809-11EB-A3A4-0019DBB15B3F", "E358B470-B37D-4E47-BC8A-2CD9ADBEB63C"]}, {"type": "gentoo", "idList": ["GLSA-202003-43", "GLSA-202006-21", "GLSA-202107-52"]}, {"type": "github", "idList": ["GHSA-26VR-8J45-3R4W", "GHSA-29QJ-RVV6-QRMV", "GHSA-2H3J-M7GR-25XJ", "GHSA-32XF-JWMV-9HF3", "GHSA-344F-F5VG-2JFJ", "GHSA-4CCH-WXPW-8P28", "GHSA-53HP-JPWQ-2JGQ", "GHSA-53X6-4X5P-RRVV", "GHSA-59J4-WJWP-MW9M", "GHSA-5RCV-M4M3-HFH7", "GHSA-63CQ-PPQ8-CW6G", "GHSA-64X2-GQ24-75PV", "GHSA-6VQP-H455-42MR", "GHSA-73XV-W5GP-FRXH", "GHSA-7CJ4-GJ8M-M2F7", "GHSA-7FHR-2694-RG79", "GHSA-7Q5G-GPH2-4RC6", "GHSA-7R82-7XV7-XCPJ", "GHSA-9F3J-PM6F-9FM5", "GHSA-C738-77X8-WMQ5", "GHSA-C9HW-WF7X-JP9J", "GHSA-CCCF-7XW3-P2VR", "GHSA-FF2W-CQ2G-WV5F", "GHSA-FXPH-Q3J8-MV87", "GHSA-G3WG-6MCF-8JJ6", "GHSA-HR32-MGPM-QF2F", "GHSA-HWVM-VFW8-93MW", "GHSA-J8JW-G6FQ-MP7H", "GHSA-JGWR-3QM3-26F3", "GHSA-M7JV-HQ7H-MQ7C", "GHSA-P2V9-G2QV-P635", "GHSA-P979-4MFW-53VG", "GHSA-QQ48-M4JX-XQH8", "GHSA-QXF4-CHVG-4R8R", "GHSA-RMRM-75HP-PHR2", "GHSA-RPQ8-MMWH-Q9HM", "GHSA-RV39-3QH7-9V7W", "GHSA-RVWF-54QP-4R6V", "GHSA-V4QH-6367-4CX2", "GHSA-V528-7HRM-FRQP", "GHSA-VF77-8H7G-GGHP", "GHSA-W4JQ-QH47-HVJQ", "GHSA-XGRX-XPV2-6VP4"]}, {"type": "githubexploit", "idList": ["0B52DD25-4874-54EB-8213-8FA10B0966A3", "0FF82942-18BE-564C-8559-A8747AF02003", "140968B5-6F8E-57C6-8A61-831D5FB78836", "14CD7401-C309-52B2-B4EE-AD54900F0455", "1638D72C-F3EB-52FB-B16F-5F1996A67C0A", "175F0524-E328-527F-BC58-2130DE4756FF", "18F5237C-DCAC-5831-AED6-F0880A11DFF2", "4149EA3B-6A39-507B-A34C-22418BD1F20A", "4278B435-D22E-57E8-ABC4-639BAAFA6FC9", "44298060-D70D-5668-B934-C6F101F4EF90", "504D019A-423C-50A0-9677-93192F0ECDFC", "5602A60A-886A-598C-99B3-EE2E820506AD", "6E0425A5-AA6D-5FC6-9F8C-415345C30DD5", "7130E91B-2DF2-565E-ADE8-4C60D45E5A4D", "72ACBBC1-E9FB-5A12-8614-06BEF5F96394", "743F51FB-8BF4-5425-AEFA-10B2A14C8F3B", "848A368C-4CEE-5324-BB29-1432453E3138", "8DB9E338-4180-562E-ABD8-FB97CA704213", "92CE6110-40F8-5FE5-909B-BE6B59186578", "968DBE0A-CC05-5F47-B348-E8E33AA33F6C", "B0BA17F5-F171-5C97-9F6C-D5F38B5B64F5", "B3B326B1-29C1-5DA0-A61A-FF3C479779A6", "BA9D322B-4694-5B07-BD2F-83E700A62DE8", "C2D99D6A-1A8C-5D55-BBB7-34A978AAC642", "C3759325-98F9-5F0F-98F5-6EAE787CE3FB", "C4EDB405-454C-5160-9A99-21A930740C3F", "D05BED3C-1405-5414-B868-D7E9E1AEC6EF", "D5CBA0E2-A4B0-52CE-B93B-F433CE8662DA", "E95D9A0E-E9DE-5D95-9879-E07C0257318C", "F0ED6FE9-BC03-5953-BF24-995A28292C17", "F60737C1-A24B-51C1-AE8D-73A65C778FFF", "F9061858-90CD-55ED-9193-068E2E50FF77"]}, {"type": "gitlab", "idList": ["GITLAB-D899879055E0CEE1264C3999920643D5", "GITLAB-F0100320E4A944927271D944E511880D"]}, {"type": "hackerone", "idList": ["H1:874427"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20200715-01-TOMACT"]}, {"type": "ibm", "idList": ["0066C9EC375123E63AE360D74EC62586671E78442045839C341498FBEEC24A1E", "007E1AC1E4228B8135E45C63FCEF82799BD02C157157F082CD8D3E0F0D61C361", "021D73BA7F81AE9ECA981B8E5BCD2B83F967D63970C29E0AD98D46119BE5A6A3", "026861C8F37CB442AEB06F08CB67784AB6226E1C2C5830E2D4227D71E9453C5B", "02AC3D75FB5E9A395164B03D2835B59279C245C81FF95300ED74B35ADE723D5F", "05EBC3EA4B66B19728BB66D5DC71F429C8B7233EC5AC3CB0DA401B57D74514F3", "06F82D153AB6DEEFD5161D9F44AA40A07074E344710561946396F62B67A0FED7", "098A0B0BBDA18721083717F103FE7FB2B2BBE2394E33149D968FE7B59A7B2AD4", "0CE409469DEFB125E45CD7AB309ED97939F1B7B38D62A26508B676A51CC9A271", "0E436ABCB1C741BF7139A69EC882BC3B9CA8C0C827B7CDBB16713B784DEF116A", "101D9839DC4D3A67F5CA5070D8255AEF01378A1F2F94126A2F00868A71C2B71A", "108B881F58BDABF9FFB471772510149AE93FEF1CA5E7083CA8DCD974DFD78412", "1F707BCFF7B87B9F76A41F8C24CF01CE9AF5A20146DFADFAD12F1F209431504F", "204ADCCC258487D6D5F8C848C95DAB38413055F4AFD05DFCF56FD7435CBF7C69", "205D8E291F00D69928AE2777BC3A52CC5094D59B30AB5BF479F77703C17C0EBE", "20D78D1F15CF6719B26AF45D46BE8B0697952AFB6607D042E039580C6BCF92BE", "226FFFCDF94FA8471AA279C7EA3B887FAA510E3463B5ABDBC303B7D6583EE6BE", "23258712AF0C6FF3D199FB0C84691351D550E3A4E86DEF3F1A107BF53AC16647", "2AD1F86BAC93366F89BAA6BECFE551E5D80A650C29A4222CD9BF66F9689BF3F3", "2B8ED03AFB64688F7C236312BC8155AB0C092B0BB10F225899EEE28BFC95B925", "2C070ACA838DF756EF2C6663B3A4CC8D6546936B4E9067A8CC8F4E89004415FB", "2FE97BC0DB8A3B1BCF85FF8F69828770D4396C7CC3ABD37202D8089D2CADF87B", "324040B56271D71A84F2DAB2E4D80E3170D2FCFDEAE2B5A6CAB0DF69F449B230", "3406F3BF171E35059DD6F774A38295A04425479DF9DD7838A3961F77179002A0", "35775CB7BE8C2C4A9037236531F036665ED2A456F3687EBA615EC6B0B0407E48", "360A532A824E2C2FF5738257AADA989D56DA13389309F349189AA4DF31F97CE2", "3806864362596B8F499C9B331631D79EC751CD68B24068ED9B36CFB553A6D005", "39C214FD5E5504CD5F6F1D889575FBD4E81A443FEF59E6207CD831893A63CFFE", "3D307C26AD38224FBB6887FA744256D8B485F2828F3491E37740B523C7D53134", "3E7141042BE5B9E1A55ADA05F6035C03E394EF7DC2BDEDF57AEB4C33DF04D003", "418A4C8D1E8F2E8A923DFE2C36570B4A5EF7B515E050C0F19513AF3DAE7D2628", "41CB9666A88AE67D4A0558674B8CFDA62F160B6DDCBA3C10576515447887CF12", "44ED011A5E4C4CDACE68AC2DF7C685CB620B2DACF1394D05CEBCF3B6B0D89AF6", "49ED43DAA523C79B0D499D6AAAF1DB03BC188989246D9E4075BF6071BC1F62AD", "4BDAD0354104643E7949DCEDA1BA9265CEAEE5019584E7C99E9BAC75F411DFC2", "4BEC8E9463E4B27C09D4E3ECF5C98A9E0D6D193C06E6EFC3DEDB9F41368D7DC0", "4D5BB52B0DF5B49E677BEA648A36285E11F99DEE079C1C0FA1985FAC1251CAC6", "4F83B26494F5C02A937F66487471A788F350B0FE1D9EABC80254DB502CA97A51", "516C78282E257BAD924E6FC3088367963BA15FCD8305B1B9C4978CA225F03D64", "53B532B87CEA78B57E2ED69FBCEA8B269DE8F2659CD1185FAB9174B1B7BD0971", "5607CF6D04DD77CB50570F4969F7B3DEFF1BEAE93F9CF5B5355BBD8D2BA6EA96", "570AF6CDC4F7E864E6852EBD03923041C13A884B424AC254820AD0EEB73694DF", "573F294E16A1C9B7682B48604209232E9D20CDAD4F9D09F633AA855F804E24CD", "582F96446333EB82A24A0C13191C208F7E940B6AE34B504E8FD5A296160793B6", "5B47275B66495017EC8BCD458FF8949B7FBE30E96158522A3DA6B3FED9F36A9E", "5C2F727441DDF005628436E237055B06B4A2A1455B638FC8CE15F44D4FC5F66E", "5CFFF247829B88E863F660A3FB2D7F903D5C69A71EEC6143F457C50174CB02BB", "5E6AC096D5F35D524923422195E5F8BE5ABD6E307943C5F7A48830343C060E96", "6195FD892AA154A172FA62D1C3179F1BED3A69333139BC056B6242D7A468E832", "63C0560C61FE9A9777F6402C4988E794A31F66C8118AFA944D2596065F5D0454", "643278CE1BB636D8764FFFB99832A74E1EB43BC79E059A2AF6DA2A9DF4BB4FCB", "69C147CB642B39AA3250947FC1868ED542CC9C2C3BED4BA821CAD9BA0F178E84", "69C79DB7169CF870F6B1FDFFBCCD8DCEFED293B79862611C9A5D39778668A20A", "6B0EA5EC8A444AC10EC1F200C7B61DAF5E4F6E89E5C2943D1BA5016D81598440", "6E4177444972E834FE2E90822133A99FC964026E1F6DFA3A6610BCBD4D165D1F", "6E60AD96D264E31CBE0191743B66ECCC6CDE58441893FF890BFFB7AD2A1AD8A9", "6F1207317470AA234882D78F1F399A5A16C9D25ADD86B6DBB1C594BB387484C4", "6F9B3E5D97FDBB41059AA8C4DDC3F8C6E337642756FF537C16A61C7599D523B9", "6FEE67038ED295324647308F3C611846F29F9073DA5F2D94C9C0754CE87A2A60", "71992C293C68F803D971C4A6799C4C00887FE01C90A51BBA1EF2ECC47DF8D10F", "7463232BD9391B70113F6779133DEEDF82C2F9FB5E2F9C9C4D0363B332E72184", "75172376975CFC491DFBE3507EBF17A98678B53D9C0BA45EC17BE0841880DF1D", "75A547F3BA75C8FD5BF5185CE11155B9F37CBC820B9102C0531E0C7785BA8B78", "7673ECA7C26C82F326589C66582D68F7F87357B4FB250AD73DE7E7F5EC924344", "78D9C4BA0AC6C939F05FFA65988885F5B6562735B96655E51EE309206C6220A9", "792B85A8DB94781D66D2F4C4B62AF0AB0D8345DE0EDC163D9DF3146450CB58F8", "7D3E4A05F495D2208F42E29F32B356EDE3117877FF0017DA2600C2DD6C299C9F", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7F074E985E9433293F83AAA7F6DAA1B51640BE0E9CE150599D1BBD7718BDB08F", "807F02BF5D04D1D709B1D383A56D073A3E2ABB5E058B819FF145C9C80E083AF4", "83FB543E615A9C8662A98035262ECF1D1F4689ADFAF69DF4FB232747683951CC", "86A0B847D48ABE8E582B1C33E6C19AB73FD9D93A80B340CCDC1D166A92F95ED8", "87DCB77CF764C7235B6473B289E603F21A1588D5812BC1D3022468CF1C8EF03A", "8A25414E8FED9B3A34B56F03DDCF0BE180EB8F7764BA550EFFBCC83D0E7E8154", "8DF333F79E75C38BAF5D10978D2A5980C7BCD16722EBEF4A77847AA9601A851D", "8EFB8A654D3536DD4481500A7680D75E0B2A04D2F63C829CAE130B12A35D7ED3", "8FB323EC50EB5CCD3380176BF2571DDA8C7739DBF4BC558C9B57458B912FEEF7", "9018EBBB2B02EE47F1D399A0C2BDB34D3337938CEAB3DDDABC830CFAB6427187", "91276D3C2731F3DA4DD452E951C9FDEE291112FDC8F824C89A17FB705CD2BB08", "915C40C3847839BAFC1ADC3A4E386F48D7716C2F3DA53EC6BE7228D7003DDC0D", "91E46D9CAD79EFFDAF7AC93106DDC1CDE5DC9494110D817945458F7F32A94872", "9539D349760C436C7C7DD837261536EA548010DD2305304375696FA545C8BF09", "96B34DECBD5111CA099BBF02896DC500AFE9357A8C64E783BBC560AB34F745F2", "96D305EAE4A7FD6D6FD4E199CDA3EF2579F2E48F6FBF657006C48D2421E7DFFE", "96FB1F5401BA33E39F359D3EFA8EAC793B1E88E42ACD8D64CB296F8042026A88", "97D5F772EC68BDCD260FBB9DFB7A322AAAC657E9360305DF11F9C6A6A40D1B85", "9AE75CB1A1D3DD100D9064B9CD05456A761753026F2FA396034E23E18AE154DF", "9B7484C34C9F34F0426B6E8110F51B91DBBF139DD14849DC744E1B348D2F480F", "9C9BD6083322204839F8553AEFDE11C546EEC223C7CE000659E67773279CB0C3", "9CC47C37A5CC093943921CDECE4CF9F41C86981FD1C6230EAA9DD109B2974C86", "9D10729AB8873D23F2244363D8A1DDDC6F4683B3420052FC513112D30B8E6FC8", "A0036DBF564FC801A80402265A168507AE957132B4CFA8F0A86B9B91DFFA2C33", "A104F357C85C98F8863EC17E0968EE2F520A9E4DA3A10DBF1287F2CDE17AFD04", "A14074B63DD301417E9DF0F0CA920DF28041AE6FB1B473141F78ECFEA97F3165", "A27028FEB4AC2C9A262DE2B4713CFC6F3258C4BAA72571EE39D0AD901B84EE4A", "A4F4ED08429B5D47DD29B88E1F05943B726DF1810969F88CDB4A5626D3881137", "A545DB1C220C2CED88336E81FF848EF91603811394EF649FEC94F4D2653CBD45", "A66099F152C06C3921645B73464D1F72864256814A8D0AA86771679C63B01BBA", "A87D3B01BEB3628C5A4865D02456C6AE700642AF49B89B34D8697869591CCEC7", "A8EAA90F5CE918867C773DB790DC273BE5AD5BC74A77574E4C19CE42D18BAD6A", "AA9924D97A331BFEF405C5965F86807ACBF07005A06B3D61D1E7556C355A7841", "AB1AC7E7CE95316265077790DC2D6CE23068401552650F2CE08BCFDA4CE41AA9", "AB595BAD745ACCEB2CA1F5A7FC0DC9717FFDD74D2EEC460390003F7C91DD4FFD", "ACADB7968DA0F2B9A699E4A4F017D7CE853EB3898FF48F8C445659980A8E5015", "AD9D0F1B219EF1414A1CFE4F9B1CA78EEF4B4C701B90380ABE4C1CDC35D33584", "AE33D31A0FB7255EF28BE79BC12503CDC31DB9273944374F35C9752D138DD964", "AE395445C7C7240CD17B06CE58A20D98731AA33DE1AAF047F3A02C424CBD3F87", "AEB328CC8D931D2BFACDBB1708074AFF2A53C68C85557EC09C82031DA56AED69", "B0FF85DCDE8644B3484BD6CF258480DD40154E7BDFEEDF7A128BF747F3AC618F", "B2EA2FBA4D280351FEA7F9EC1921C448D44F4D9EC613590A87A15467F7D34153", "B3A541644FEA43E48D36CA5E9D16B0C96C2D2EDDC66F78E397A1A660286F7C94", "B5810DD31544DECD338CCD71F5C05C78B267068FE3FD01928B5545B05BEE5FA0", "B5B6C4769983441433B811EF3AAED6CFC993849D42BC924ECF1CCA5E34838148", "B5F498C2528C0E625760D72F802C203FB63AC6B3CBD1D27268D5F386CC4385CE", "B71DBB5A8F7BD5AC86F2A784871250C0CD636ED31A030553D5D9A0B4D39CED79", "B8C124EE4E419DE7F41A9CB0246E9FF21300C4C9A2734EF999830B9906B65133", "B9C7132D775DE65C4A7C7EA65CB4611218B4F54983B765131C39E74D07EE9525", "BA2D0D9B1C88AA8F13B870348943574E037A169844D44BBF01DF458E3C5B564F", "BA385C300E1AB69708D8E5042F5220F275493E2AE45A5E3A1DD992DE1DAB492E", "BAC58F310A73AC5E5FAD84D6ECE65ABCF89CB378E0F1092F4F7D09F826B5874A", "C0349AAABFD1576263D75DDFC8EBEDBDBF9CBE04C997B8F00EF826B9D7C1793B", "C08849A00434A559EE1C5504DAE1CDDB28E9D46EDC400E95B2136AC317DFE7A3", "C0BDB67449527274F6BF935813A76F827DBFB1EAD61444E49DD24177F6B0ABE0", "C10FBBF5A8E11974F87E6A099C17E72598C3522DD897AF08DEDE1BCE75AC993E", "C41C171EEB146759A981B49D19F8E7426E3EFEA2C625BADD731547E106C888DB", "C43D2CB156B7BD39FC113EAD22568306F95463D3E29CC3A697EB085F142533BB", "C53D3C47BD4A155045F99C1E4CBF677182A1008DEB57811C876885F82676C572", "C584062FF02196D3513361FBB98104F5FA7514B1ABD5ECCA55D19C8B859E090E", "C596338966F1610A28DC01FBB21502CC71651B70DBC8B96D9603EBE432E4D5E6", "C5DAC5DF01C24F5EFB24848FC6303A469E6334E4A45557026328B102974C1060", "C633E3F919C9BCD1EAFB625FB054DC01CA44ECB316E9D13E7A22A44BF1FFF391", "CA22EB6E856EBA35EEBB4E26E9399464F4765FC62AB8D4A61DDCD6F4EFCCCD56", "CA3D40199AA130F8902B805459C020634B871C3AC37DB92C060C76E96DFDCC98", "CC3CA2E6A057BD0C432A1C280BCDA473EAA13F9A6EA2532C58C5E8FD129BF2B1", "D054D1FB915BA204B059103047AE248EE28845425BAC252BCE0F9CFD4D129929", "D11AB976F85F6CB2A151F18E4C7DCD45359DDB99578FE739D459AA7C71585CEB", "D5FC516E557685CDE38A1C2C470F73080C33F28187E749A00C04F0812AFB9842", "D783A7F4DFFB9905E79E357ACA80CE9623FFC55147AEC4BAF71DFFC0CC45C9F3", "D82E9A8E624D2D7ED091F72D21B86BD1E1D17D89E3AEC4046D4D7622DEFAD2DC", "D84E883E0071349444463D3C96604B74757AC7CDD18A0C087FC175DAEB3F970A", "D9D5040D7845BC6BA508A3B5BA57533835B6E213079001A65EC14663AE4836F8", "DD464CE379B2EA45DB8FD5C1271CBEF5EA4164AAAFA4FB13859BABF4DFF16C6B", "E11D1831D193AEF5FF2EB9D7788E4B69929BB9B8080F134F95019007DD6ACC7C", "E298AFAE6C10545EEFE2EDCB1E58ACEB81769C82FC173BB89206A046496B5501", "E4A28F8F68186CEA27D3FEB20460BE3334CBCA58BC4385BFB2DAC3333FEF6C4B", "E4AF4AD51EF7B52C30AC56A83E532C18EBEF528DABCFCB69D2926CFA74BB2EFC", "E4EDC2FA169D0DA37CBCD0520BC305DF277DCFADF273F929C67930A8EE880A10", "E6075AA4421CDE4C93FB6FE776168FD888F3E662A7F0CD9B705035929B13694E", "E958100936EDC2D0333655BFE34E1B7F8D81CEDA480AF07C1DBCD19C65ABC6AD", "E9F3A90DA9806F4EB921B9D3B1386D06CBF6A6FC448F63739B13ABCC86AF0725", "EAE3626D697DD9AA184F2FB8430E9808A349261E042A2F475F1558DE0474E3B5", "EB9C97E1767E99DB5972AA6DB53446FFC1D2256CC95E283AD514F18189053A41", "EE6EFFD8E6A7D3AA032A7AB72AB7630EDD8444681F9729BDF2C014CB0210A741", "F0AFFAB5446BEF6A6B346CA7237A1583252E55B1EA002352E7DFDFFB5796363C", "F0DEAA11864C79AB944778587F6E4E173522B7E2598E5D03BA63AD035A2ABBA7", "F26EE38CBA6B93A0B0967DD4DF0B628E7EDCBF41134B0358C7BD18C0EBEC7F60", "F36B2B0C795AAB35C070C1F451EEF4EC2B7111576274E3352545DC96C6338B2A", "F3E9AF17DCD2EBC47BC32D0E05B6ACDCBFDDAF3EB47FFAC93CFD0FEBBBC04F7E", "F479B1D4D6CE6F94562BE83AEBC7D30E6633A6727AB24138B99039D7EB3AB70F", "F4ACF6A7E5D7DE1275D32AC83A2605BD1EBE8A601F49D9C5C4F88B34B70CD57C", "F65F1D96E364841337F0770420AA39E180E57CF181628F15C7259D9D9A9E8BDD", "F6DF55755772C64F805CFF82BE910F9FAAF52E5BFBF9672BC2262F5BAF685976", "F968064DF1D870E093FB1CBB6C9BC42A2AAB61D61095B3E288687BFC31A52BFD", "F9ED99C3F4B2D868A3826BA34135EFCC7EF1978329C535488F23E6CF98DA913D", "FB7B6E35D915B52C7BA312CAD9654CFF1BD017037BCC79FFFEB2D911AF77E8B6", "FBF04463FD979054AD645A3FD172D5826C3ABE6D6D2F80B590982B60B574F03D", "FC61ACAE0AB22E97FD911A75A9094C7517F5B67482635EEE91A119E450FC843D", "FD49F69A2433C54698143251927A4D0BFEC67AB881AEDC9C3EAC9D5E7CE41075", "FED8F524B9C595CB0D81C78AF8662D74D0C7960F6749FC6424484CB55637033C"]}, {"type": "ics", "idList": ["ICSMA-21-187-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7"]}, {"type": "jvn", "idList": ["JVN:42883072", "JVN:90729322"]}, {"type": "kaspersky", "idList": ["KLA11679", "KLA11784", "KLA11785", "KLA11823", "KLA12083", "KLA12084"]}, {"type": "kitploit", "idList": ["KITPLOIT:5420210148456420402"]}, {"type": "mageia", "idList": ["MGASA-2020-0001", "MGASA-2020-0138", "MGASA-2020-0277", "MGASA-2020-0331", "MGASA-2021-0039", "MGASA-2021-0052", "MGASA-2021-0183", "MGASA-2021-0184", "MGASA-2021-0314", "MGASA-2021-0357"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-SCANNER-HTTP-SPRINGCLOUD_DIRECTORY_TRAVERSAL-"]}, {"type": "myhack58", "idList": ["MYHACK58:62201785372", "MYHACK58:62201785395", "MYHACK58:62202097573"]}, {"type": "nessus", "idList": ["701269.PRM", "701329.PASL", "701331.PASL", "701350.PASL", "701351.PASL", "701385.PASL", "701386.PASL", "701387.PASL", "701388.PASL", "AJP_LFI_GHOSTCAT.NBIN", "AL2_ALAS-2020-1402.NASL", "AL2_ALAS-2020-1449.NASL", "AL2_ALAS-2020-1494.NASL", "AL2_ALAS-2021-1690.NASL", "ALA_ALAS-2020-1352.NASL", "ALA_ALAS-2020-1353.NASL", "ALA_ALAS-2020-1389.NASL", "ALA_ALAS-2020-1390.NASL", "ALA_ALAS-2020-1409.NASL", "ALA_ALAS-2020-1436.NASL", "ALA_ALAS-2020-1472.NASL", "ALA_ALAS-2021-1472.NASL", "ALA_ALAS-2021-1491.NASL", "ALA_ALAS-2021-1493.NASL", "ALA_ALAS-2022-1562.NASL", "ALA_ALAS-2022-1572.NASL", "ALMA_LINUX_ALSA-2020-4807.NASL", "ALMA_LINUX_ALSA-2022-1860.NASL", "ALMA_LINUX_ALSA-2022-1861.NASL", "APACHE_SHIRO_CVE-2020-17510.NASL", "CENTOS8_RHSA-2020-3665.NASL", "CENTOS8_RHSA-2020-4694.NASL", "CENTOS8_RHSA-2020-4807.NASL", "CENTOS8_RHSA-2021-1775.NASL", "CENTOS8_RHSA-2022-1860.NASL", "CENTOS8_RHSA-2022-1861.NASL", "CENTOS_RHSA-2017-2423.NASL", "CENTOS_RHSA-2020-0855.NASL", "CENTOS_RHSA-2020-0912.NASL", "CENTOS_RHSA-2020-2530.NASL", "CENTOS_RHSA-2020-4004.NASL", "CENTOS_RHSA-2020-5020.NASL", "CLOUDBEES_SECURITY_ADVISORY_2021-04-20.NASL", "DEBIAN_DLA-1941.NASL", "DEBIAN_DLA-2109.NASL", "DEBIAN_DLA-2110.NASL", "DEBIAN_DLA-2133.NASL", "DEBIAN_DLA-2209.NASL", "DEBIAN_DLA-2217.NASL", "DEBIAN_DLA-2279.NASL", "DEBIAN_DLA-2286.NASL", "DEBIAN_DLA-2364.NASL", "DEBIAN_DLA-2365.NASL", "DEBIAN_DLA-2400.NASL", "DEBIAN_DLA-2405.NASL", "DEBIAN_DLA-2507.NASL", "DEBIAN_DLA-2512.NASL", "DEBIAN_DLA-2595.NASL", "DEBIAN_DLA-2661.NASL", "DEBIAN_DLA-2726.NASL", "DEBIAN_DSA-4597.NASL", "DEBIAN_DSA-4673.NASL", "DEBIAN_DSA-4680.NASL", "DEBIAN_DSA-4727.NASL", "DEBIAN_DSA-4772.NASL", "DEBIAN_DSA-4828.NASL", "DEBIAN_DSA-4885.NASL", "DEBIAN_DSA-4908.NASL", "DEBIAN_DSA-4949.NASL", "EULEROS_SA-2017-1213.NASL", "EULEROS_SA-2017-1214.NASL", "EULEROS_SA-2020-1302.NASL", "EULEROS_SA-2020-1327.NASL", "EULEROS_SA-2020-1438.NASL", "EULEROS_SA-2020-1645.NASL", "EULEROS_SA-2020-1829.NASL", "EULEROS_SA-2020-1932.NASL", "EULEROS_SA-2020-2093.NASL", "EULEROS_SA-2020-2274.NASL", "EULEROS_SA-2020-2401.NASL", "EULEROS_SA-2021-1856.NASL", "EULEROS_SA-2021-1858.NASL", "EULEROS_SA-2021-1891.NASL", "EULEROS_SA-2021-1915.NASL", "EULEROS_SA-2021-1990.NASL", "EULEROS_SA-2021-2233.NASL", "EULEROS_SA-2021-2435.NASL", "EULEROS_SA-2021-2437.NASL", "F5_BIGIP_SOL18484125.NASL", "FEDORA_2017-11EDC0D6C3.NASL", "FEDORA_2017-2CCFBD650A.NASL", "FEDORA_2017-511EBFA8A3.NASL", "FEDORA_2017-7E0FF7F73A.NASL", "FEDORA_2017-8348115ACD.NASL", "FEDORA_2017-B8358CDA24.NASL", "FEDORA_2019-C96A8D12B0.NASL", "FEDORA_2019-DA0EAC1EB6.NASL", "FEDORA_2020-23012FAFBC.NASL", "FEDORA_2020-239503F5FA.NASL", "FEDORA_2020-A55F130272.NASL", "FEDORA_2020-CE396E7D5C.NASL", "FEDORA_2020-DF970DA9FC.NASL", "FEDORA_2021-8B17A2725E.NASL", "FEDORA_2021-DC83AE690A.NASL", "FREEBSD_PKG_20006B5FA0BC11EB8AE6FC4DD43E2B6A.NASL", "FREEBSD_PKG_676CA4869C1E11EA8B5EB42E99A1B9C3.NASL", "FREEBSD_PKG_6A72EFF7CCD611EA91724C72B94353B5.NASL", "FREEBSD_PKG_70E71A24015111ECBF0C080027EEDC6A.NASL", "FREEBSD_PKG_730E922F20E711ECA574080027EEDC6A.NASL", "FREEBSD_PKG_B07BDD3C080911EBA3A40019DBB15B3F.NASL", "FREEBSD_PKG_E358B470B37D4E47BC8A2CD9ADBEB63C.NASL", "GENTOO_GLSA-202003-43.NASL", "GENTOO_GLSA-202006-21.NASL", "GENTOO_GLSA-202107-52.NASL", "JENKINS_2_286.NASL", "JFROG_ARTIFACTORY_6_23_0.NASL", "JFROG_ARTIFACTORY_7_10_1.NASL", "JFROG_ARTIFACTORY_7_7_0.NASL", "JUNIPER_SPACE_JSA_10838.NASL", "MCAFEE_EPO_SB10332.NASL", "MYSQL_ENTERPRISE_MONITOR_3_4_8.NASL", "MYSQL_ENTERPRISE_MONITOR_8_0_20_1237.NASL", "MYSQL_ENTERPRISE_MONITOR_8_0_22_1262.NASL", "MYSQL_ENTERPRISE_MONITOR_8_0_23.NASL", "NEWSTART_CGSL_NS-SA-2020-0038_TOMCAT.NASL", "NEWSTART_CGSL_NS-SA-2020-0048_TOMCAT6.NASL", "NEWSTART_CGSL_NS-SA-2020-0055_TOMCAT.NASL", "NEWSTART_CGSL_NS-SA-2020-0085_TOMCAT.NASL", "NEWSTART_CGSL_NS-SA-2021-0028_TOMCAT.NASL", "NEWSTART_CGSL_NS-SA-2021-0135_TOMCAT.NASL", "NEWSTART_CGSL_NS-SA-2021-0144_TOMCAT.NASL", "OPENSUSE-2020-1051.NASL", "OPENSUSE-2020-1063.NASL", "OPENSUSE-2020-1102.NASL", "OPENSUSE-2020-1111.NASL", "OPENSUSE-2020-345.NASL", "OPENSUSE-2020-597.NASL", "OPENSUSE-2020-711.NASL", "OPENSUSE-2021-140.NASL", "OPENSUSE-2021-1876.NASL", "OPENSUSE-2021-2005.NASL", "OPENSUSE-2021-447.NASL", "OPENSUSE-2021-496.NASL", "OPENSUSE-2021-855.NASL", "OPENSUSE-2022-0818-1.NASL", "ORACLELINUX_ELSA-2017-2423.NASL", "ORACLELINUX_ELSA-2020-0855.NASL", "ORACLELINUX_ELSA-2020-0912.NASL", "ORACLELINUX_ELSA-2020-2529.NASL", "ORACLELINUX_ELSA-2020-2530.NASL", "ORACLELINUX_ELSA-2020-3665.NASL", "ORACLELINUX_ELSA-2020-4807.NASL", "ORACLELINUX_ELSA-2020-5020.NASL", "ORACLELINUX_ELSA-2021-1775.NASL", "ORACLELINUX_ELSA-2022-1860.NASL", "ORACLELINUX_ELSA-2022-1861.NASL", "ORACLELINUX_ELSA-2022-9419.NASL", "ORACLE_BI_PUBLISHER_OCT_2018_CPU.NASL", "ORACLE_BPM_CPU_JAN_2021.NASL", "ORACLE_BPM_CPU_OCT_2020.NASL", "ORACLE_E-BUSINESS_CPU_JAN_2022.NASL", "ORACLE_ENTERPRISE_MANAGER_JUL_2018_CPU.NASL", "ORACLE_GOLDENGATE_FOR_BIG_DATA_CPU_JAN_2019.NASL", "ORACLE_HTTP_SERVER_CPU_JAN_2018.NASL", "ORACLE_IDENTITY_MANAGEMENT_CPU_OCT_2018.NASL", "ORACLE_JDEVELOPER_CPU_JUL_2021.NASL", "ORACLE_NOSQL_CPU_APR_2021.NASL", "ORACLE_OATS_CPU_JUL_2018.NASL", "ORACLE_OATS_CPU_JUL_2020.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_APR_2020.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_JAN_2021.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_JUL_2020.NASL", "ORACLE_PRIMAVERA_P6_EPPM_CPU_JAN_2021.NASL", "ORACLE_PRIMAVERA_UNIFIER_CPU_APR_2021.NASL", "ORACLE_PRIMAVERA_UNIFIER_CPU_JUL_2021.NASL", "ORACLE_RDBMS_CPU_APR_2021.NASL", "ORACLE_RDBMS_CPU_JUL_2021.NASL", "ORACLE_RDBMS_CPU_OCT_2020.NASL", "ORACLE_SECURE_GLOBAL_DESKTOP_JAN_2018_CPU.NASL", "ORACLE_WEBCENTER_PORTAL_CPU_APR_2018.NBIN", "ORACLE_WEBCENTER_PORTAL_CPU_APR_2021.NASL", "ORACLE_WEBCENTER_PORTAL_CPU_JUL_2021.NASL", "ORACLE_WEBCENTER_SITES_CPU_APR_2022.NASL", "ORACLE_WEBCENTER_SITES_OCT_2021_CPU.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2018.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JAN_2020.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JAN_2021.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JAN_2022.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2020.NASL", "PHOTONOS_PHSA-2020-1_0-0298_APACHE.NASL", "PHOTONOS_PHSA-2020-1_0-0308_APACHE.NASL", "PHOTONOS_PHSA-2020-1_0-0309_APACHE.NASL", "PHOTONOS_PHSA-2020-2_0-0248_APACHE.NASL", "PHOTONOS_PHSA-2020-2_0-0263_APACHE.NASL", "PHOTONOS_PHSA-2020-2_0-0265_APACHE.NASL", "PHOTONOS_PHSA-2020-3_0-0069_APACHE.NASL", "PHOTONOS_PHSA-2020-3_0-0100_APACHE.NASL", "PHOTONOS_PHSA-2020-3_0-0114_APACHE.NASL", "PHOTONOS_PHSA-2020-3_0-0116_APACHE.NASL", "REDHAT-RHSA-2017-1801.NASL", "REDHAT-RHSA-2017-2423.NASL", "REDHAT-RHSA-2017-2635.NASL", "REDHAT-RHSA-2017-2636.NASL", "REDHAT-RHSA-2017-2637.NASL", "REDHAT-RHSA-2017-2638.NASL", "REDHAT-RHSA-2017-2808.NASL", "REDHAT-RHSA-2017-2809.NASL", "REDHAT-RHSA-2017-2811.NASL", "REDHAT-RHSA-2017-3399.NASL", "REDHAT-RHSA-2020-0159.NASL", "REDHAT-RHSA-2020-0160.NASL", "REDHAT-RHSA-2020-0161.NASL", "REDHAT-RHSA-2020-0605.NASL", "REDHAT-RHSA-2020-0804.NASL", "REDHAT-RHSA-2020-0805.NASL", "REDHAT-RHSA-2020-0806.NASL", "REDHAT-RHSA-2020-0855.NASL", "REDHAT-RHSA-2020-0861.NASL", "REDHAT-RHSA-2020-0912.NASL", "REDHAT-RHSA-2020-0962.NASL", "REDHAT-RHSA-2020-1478.NASL", "REDHAT-RHSA-2020-1520.NASL", "REDHAT-RHSA-2020-2058.NASL", "REDHAT-RHSA-2020-2059.NASL", "REDHAT-RHSA-2020-2060.NASL", "REDHAT-RHSA-2020-2483.NASL", "REDHAT-RHSA-2020-2506.NASL", "REDHAT-RHSA-2020-2511.NASL", "REDHAT-RHSA-2020-2512.NASL", "REDHAT-RHSA-2020-2513.NASL", "REDHAT-RHSA-2020-2529.NASL", "REDHAT-RHSA-2020-2530.NASL", "REDHAT-RHSA-2020-2779.NASL", "REDHAT-RHSA-2020-2780.NASL", "REDHAT-RHSA-2020-2781.NASL", "REDHAT-RHSA-2020-2840.NASL", "REDHAT-RHSA-2020-3141.NASL", "REDHAT-RHSA-2020-3142.NASL", "REDHAT-RHSA-2020-3303.NASL", "REDHAT-RHSA-2020-3306.NASL", "REDHAT-RHSA-2020-3369.NASL", "REDHAT-RHSA-2020-3383.NASL", "REDHAT-RHSA-2020-3461.NASL", "REDHAT-RHSA-2020-3462.NASL", "REDHAT-RHSA-2020-3463.NASL", "REDHAT-RHSA-2020-3637.NASL", "REDHAT-RHSA-2020-3638.NASL", "REDHAT-RHSA-2020-3639.NASL", "REDHAT-RHSA-2020-3665.NASL", "REDHAT-RHSA-2020-3817.NASL", "REDHAT-RHSA-2020-4004.NASL", "REDHAT-RHSA-2020-4214.NASL", "REDHAT-RHSA-2020-4244.NASL", "REDHAT-RHSA-2020-4245.NASL", "REDHAT-RHSA-2020-4256.NASL", "REDHAT-RHSA-2020-4297.NASL", "REDHAT-RHSA-2020-4366.NASL", "REDHAT-RHSA-2020-4694.NASL", "REDHAT-RHSA-2020-4807.NASL", "REDHAT-RHSA-2020-4847.NASL", "REDHAT-RHSA-2020-4922.NASL", "REDHAT-RHSA-2020-5020.NASL", "REDHAT-RHSA-2020-5054.NASL", "REDHAT-RHSA-2020-5055.NASL", "REDHAT-RHSA-2020-5056.NASL", "REDHAT-RHSA-2020-5168.NASL", "REDHAT-RHSA-2020-5170.NASL", "REDHAT-RHSA-2020-5175.NASL", "REDHAT-RHSA-2020-5340.NASL", "REDHAT-RHSA-2020-5341.NASL", "REDHAT-RHSA-2020-5342.NASL", "REDHAT-RHSA-2021-0246.NASL", "REDHAT-RHSA-2021-0247.NASL", "REDHAT-RHSA-2021-0248.NASL", "REDHAT-RHSA-2021-0872.NASL", "REDHAT-RHSA-2021-0873.NASL", "REDHAT-RHSA-2021-0874.NASL", "REDHAT-RHSA-2021-0882.NASL", "REDHAT-RHSA-2021-1030.NASL", "REDHAT-RHSA-2021-1313.NASL", "REDHAT-RHSA-2021-1509.NASL", "REDHAT-RHSA-2021-1551.NASL", "REDHAT-RHSA-2021-1775.NASL", "REDHAT-RHSA-2021-2046.NASL", "REDHAT-RHSA-2021-2047.NASL", "REDHAT-RHSA-2021-2048.NASL", "REDHAT-RHSA-2021-2431.NASL", "REDHAT-RHSA-2021-2499.NASL", "REDHAT-RHSA-2021-2517.NASL", "REDHAT-RHSA-2021-2561.NASL", "REDHAT-RHSA-2021-3656.NASL", "REDHAT-RHSA-2021-3658.NASL", "REDHAT-RHSA-2022-0722.NASL", "REDHAT-RHSA-2022-1860.NASL", "REDHAT-RHSA-2022-1861.NASL", "REDHAT-RHSA-2022-5459.NASL", "REDHAT-RHSA-2022-5460.NASL", "SL_20170807_LOG4J_ON_SL7_X.NASL", "SL_20200317_TOMCAT_ON_SL7_X.NASL", "SL_20200323_TOMCAT6_ON_SL6_X.NASL", "SL_20200611_TOMCAT6_ON_SL6_X.NASL", "SL_20200611_TOMCAT_ON_SL7_X.NASL", "SL_20201001_TOMCAT_ON_SL7_X.NASL", "SL_20201110_TOMCAT_ON_SL7_X.NASL", "SPRING_CLOUD_CONFIG_CVE-2020-5410.NASL", "SUN_JAVA_WEB_SERVER_7_0_27.NASL", "SUSE_SU-2020-1111-1.NASL", "SUSE_SU-2020-1126-1.NASL", "SUSE_SU-2020-1272-1.NASL", "SUSE_SU-2020-14334-1.NASL", "SUSE_SU-2020-14342-1.NASL", "SUSE_SU-2020-14375-1.NASL", "SUSE_SU-2021-14705-1.NASL", "SUSE_SU-2021-1876-1.NASL", "SUSE_SU-2021-2005-1.NASL", "SUSE_SU-2022-0694-1.NASL", "SUSE_SU-2022-0695-1.NASL", "SUSE_SU-2022-0784-1.NASL", "SUSE_SU-2022-0818-1.NASL", "TOMCAT_10_0_0_M5.NASL", "TOMCAT_10_0_0_M6.NASL", "TOMCAT_10_0_0_M7.NASL", "TOMCAT_10_0_16.NASL", "TOMCAT_10_0_2.NASL", "TOMCAT_10_1_0_M10.NASL", "TOMCAT_7_0_104.NASL", "TOMCAT_7_0_105.NASL", "TOMCAT_7_0_108.NASL", "TOMCAT_8_5_55.NASL", "TOMCAT_8_5_56.NASL", "TOMCAT_8_5_57.NASL", "TOMCAT_8_5_63.NASL", "TOMCAT_8_5_75.NASL", "TOMCAT_9_0_31.NASL", "TOMCAT_9_0_35.NASL", "TOMCAT_9_0_36.NASL", "TOMCAT_9_0_37.NASL", "TOMCAT_9_0_43.NASL", "TOMCAT_9_0_58.NASL", "UBUNTU_USN-4448-1.NASL", "UBUNTU_USN-4532-1.NASL", "UBUNTU_USN-4596-1.NASL", "UBUNTU_USN-4600-1.NASL", "UBUNTU_USN-4600-2.NASL", "UBUNTU_USN-4714-1.NASL", "UBUNTU_USN-4943-1.NASL", "UBUNTU_USN-5360-1.NASL", "VIRTUOZZO_VZLSA-2020-5020.NASL", "WEB_APPLICATION_SCANNING_112426", "WEB_APPLICATION_SCANNING_112427", "WEB_APPLICATION_SCANNING_112428", "WEB_APPLICATION_SCANNING_112429", "WEB_APPLICATION_SCANNING_112548", "WEB_APPLICATION_SCANNING_112549", "WEB_APPLICATION_SCANNING_112557", "WEB_APPLICATION_SCANNING_112558", "WEB_APPLICATION_SCANNING_112559", "WEB_APPLICATION_SCANNING_112560", "WEB_APPLICATION_SCANNING_112561", "WEB_APPLICATION_SCANNING_112709", "WEB_APPLICATION_SCANNING_112710", "WEB_APPLICATION_SCANNING_112711", "WEB_APPLICATION_SCANNING_112712", "WEB_APPLICATION_SCANNING_112993", "WEB_APPLICATION_SCANNING_112994", "WEB_APPLICATION_SCANNING_112995", "WEB_APPLICATION_SCANNING_113002", "WEB_APPLICATION_SCANNING_98946", "WEB_APPLICATION_SCANNING_98947", "WEB_APPLICATION_SCANNING_98948"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310143545", "OPENVAS:1361412562310143549", "OPENVAS:1361412562310143550", "OPENVAS:1361412562310143963", "OPENVAS:1361412562310143964", "OPENVAS:1361412562310144180", "OPENVAS:1361412562310144181", "OPENVAS:1361412562310144273", "OPENVAS:1361412562310144274", "OPENVAS:1361412562310704597", "OPENVAS:1361412562310704673", "OPENVAS:1361412562310704680", "OPENVAS:1361412562310704727", "OPENVAS:1361412562310814409", "OPENVAS:1361412562310853073", "OPENVAS:1361412562310853132", "OPENVAS:1361412562310853179", "OPENVAS:1361412562310871877", "OPENVAS:1361412562310872637", "OPENVAS:1361412562310872638", "OPENVAS:1361412562310872757", "OPENVAS:1361412562310872759", "OPENVAS:1361412562310876940", "OPENVAS:1361412562310877192", "OPENVAS:1361412562310877641", "OPENVAS:1361412562310877649", "OPENVAS:1361412562310877651", "OPENVAS:1361412562310877752", "OPENVAS:1361412562310877761", "OPENVAS:1361412562310877967", "OPENVAS:1361412562310877995", "OPENVAS:1361412562310883204", "OPENVAS:1361412562310883212", "OPENVAS:1361412562310883252", "OPENVAS:1361412562310891941", "OPENVAS:1361412562310892109", "OPENVAS:1361412562310892110", "OPENVAS:1361412562310892133", "OPENVAS:1361412562310892209", "OPENVAS:1361412562310892217", "OPENVAS:1361412562310892279", "OPENVAS:1361412562311220171213", "OPENVAS:1361412562311220171214", "OPENVAS:1361412562311220201302", "OPENVAS:1361412562311220201327", "OPENVAS:1361412562311220201438", "OPENVAS:1361412562311220201645"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2018", "ORACLE:CPUAPR2018-3678067", "ORACLE:CPUAPR2019", "ORACLE:CPUAPR2019-5072813", "ORACLE:CPUAPR2020", "ORACLE:CPUAPR2021", "ORACLE:CPUAPR2022", "ORACLE:CPUJAN2018", "ORACLE:CPUJAN2018-3236628", "ORACLE:CPUJAN2019", "ORACLE:CPUJAN2019-5072801", "ORACLE:CPUJAN2020", "ORACLE:CPUJAN2021", "ORACLE:CPUJAN2022", "ORACLE:CPUJUL2018", "ORACLE:CPUJUL2018-4258247", "ORACLE:CPUJUL2019", "ORACLE:CPUJUL2019-5072835", "ORACLE:CPUJUL2020", "ORACLE:CPUJUL2021", "ORACLE:CPUJUL2022", "ORACLE:CPUOCT2018", "ORACLE:CPUOCT2018-4428296", "ORACLE:CPUOCT2019", "ORACLE:CPUOCT2019-5072832", "ORACLE:CPUOCT2020", "ORACLE:CPUOCT2021"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-2423", "ELSA-2020-0855", "ELSA-2020-0912", "ELSA-2020-2529", "ELSA-2020-2530", "ELSA-2020-3665", "ELSA-2020-4004", "ELSA-2020-4694", "ELSA-2020-4807", "ELSA-2020-5020", "ELSA-2021-1775", "ELSA-2022-1860", "ELSA-2022-1861", "ELSA-2022-9419"]}, {"type": "osv", "idList": ["OSV:DLA-1941-1", "OSV:DLA-2109-1", "OSV:DLA-2110-1", "OSV:DLA-2133-1", "OSV:DLA-2209-1", "OSV:DLA-2217-1", "OSV:DLA-2279-1", "OSV:DLA-2286-1", "OSV:DLA-2364-1", "OSV:DLA-2365-1", "OSV:DLA-2400-1", "OSV:DLA-2405-1", "OSV:DLA-2507-1", "OSV:DLA-2512-1", "OSV:DLA-2594-1", "OSV:DLA-2595-1", "OSV:DLA-2661-1", "OSV:DLA-2726-1", "OSV:DSA-4597-1", "OSV:DSA-4673-1", "OSV:DSA-4680-1", "OSV:DSA-4727-1", "OSV:DSA-4772-1", "OSV:DSA-4828-1", "OSV:DSA-4885-1", "OSV:DSA-4908-1", "OSV:DSA-4949-1", "OSV:GHSA-26VR-8J45-3R4W", "OSV:GHSA-29QJ-RVV6-QRMV", "OSV:GHSA-2H3J-M7GR-25XJ", "OSV:GHSA-32XF-JWMV-9HF3", "OSV:GHSA-344F-F5VG-2JFJ", "OSV:GHSA-4CCH-WXPW-8P28", "OSV:GHSA-53HP-JPWQ-2JGQ", "OSV:GHSA-53X6-4X5P-RRVV", "OSV:GHSA-59J4-WJWP-MW9M", "OSV:GHSA-5RCV-M4M3-HFH7", "OSV:GHSA-63CQ-PPQ8-CW6G", "OSV:GHSA-64X2-GQ24-75PV", "OSV:GHSA-6VQP-H455-42MR", "OSV:GHSA-73XV-W5GP-FRXH", "OSV:GHSA-7CJ4-GJ8M-M2F7", "OSV:GHSA-7FHR-2694-RG79", "OSV:GHSA-7Q5G-GPH2-4RC6", "OSV:GHSA-7R82-7XV7-XCPJ", "OSV:GHSA-9F3J-PM6F-9FM5", "OSV:GHSA-C738-77X8-WMQ5", "OSV:GHSA-C9HW-WF7X-JP9J", "OSV:GHSA-CCCF-7XW3-P2VR", "OSV:GHSA-FF2W-CQ2G-WV5F", "OSV:GHSA-FXPH-Q3J8-MV87", "OSV:GHSA-G3WG-6MCF-8JJ6", "OSV:GHSA-HR32-MGPM-QF2F", "OSV:GHSA-HWVM-VFW8-93MW", "OSV:GHSA-J8JW-G6FQ-MP7H", "OSV:GHSA-JGWR-3QM3-26F3", "OSV:GHSA-M7JV-HQ7H-MQ7C", "OSV:GHSA-P2V9-G2QV-P635", "OSV:GHSA-P979-4MFW-53VG", "OSV:GHSA-QQ48-M4JX-XQH8", "OSV:GHSA-QXF4-CHVG-4R8R", "OSV:GHSA-RMRM-75HP-PHR2", "OSV:GHSA-RPQ8-MMWH-Q9HM", "OSV:GHSA-RV39-3QH7-9V7W", "OSV:GHSA-RVWF-54QP-4R6V", "OSV:GHSA-V4QH-6367-4CX2", "OSV:GHSA-V528-7HRM-FRQP", "OSV:GHSA-VF77-8H7G-GGHP", "OSV:GHSA-W4JQ-QH47-HVJQ", "OSV:GHSA-XGRX-XPV2-6VP4", "OSV:GO-2020-0015"]}, {"type": "photon", "idList": ["PHSA-2020-0069", "PHSA-2020-0100", "PHSA-2020-0114", "PHSA-2020-0116", "PHSA-2020-0218", "PHSA-2020-0248", "PHSA-2020-0263", "PHSA-2020-0285", "PHSA-2020-0298", "PHSA-2020-0308", "PHSA-2020-0309", "PHSA-2020-1.0-0285", "PHSA-2020-1.0-0298", "PHSA-2020-1.0-0308", "PHSA-2020-1.0-0309", "PHSA-2020-2.0-0248", "PHSA-2020-2.0-0263", "PHSA-2020-2.0-0265", "PHSA-2020-3.0-0069", "PHSA-2020-3.0-0100", "PHSA-2020-3.0-0114", "PHSA-2020-3.0-0116"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0E0377FD948B0481F7D7DC678F26D14F", "QUALYSBLOG:BC451493BC4D8290B1A1CF86E18A6F98"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:1337FDDA53CBD823DC2468664817FC4E"]}, {"type": "redhat", "idList": ["RHSA-2017:1417", "RHSA-2017:1801", "RHSA-2017:1802", "RHSA-2017:2423", "RHSA-2017:2633", "RHSA-2017:2635", "RHSA-2017:2636", "RHSA-2017:2637", "RHSA-2017:2638", "RHSA-2017:2808", "RHSA-2017:2809", "RHSA-2017:2810", "RHSA-2017:2811", "RHSA-2017:2888", "RHSA-2017:2889", "RHSA-2017:3244", "RHSA-2017:3399", "RHSA-2017:3400", "RHSA-2019:1545", "RHSA-2019:3892", "RHSA-2019:3901", "RHSA-2020:0159", "RHSA-2020:0160", "RHSA-2020:0161", "RHSA-2020:0164", "RHSA-2020:0445", "RHSA-2020:0497", "RHSA-2020:0567", "RHSA-2020:0601", "RHSA-2020:0605", "RHSA-2020:0606", "RHSA-2020:0804", "RHSA-2020:0805", "RHSA-2020:0806", "RHSA-2020:0811", "RHSA-2020:0855", "RHSA-2020:0860", "RHSA-2020:0861", "RHSA-2020:0912", "RHSA-2020:0922", "RHSA-2020:0939", "RHSA-2020:0951", "RHSA-2020:0961", "RHSA-2020:0962", "RHSA-2020:1445", "RHSA-2020:1478", "RHSA-2020:1479", "RHSA-2020:1520", "RHSA-2020:1521", "RHSA-2020:2058", "RHSA-2020:2059", "RHSA-2020:2060", "RHSA-2020:2061", "RHSA-2020:2067", "RHSA-2020:2112", "RHSA-2020:2113", "RHSA-2020:2321", "RHSA-2020:2333", "RHSA-2020:2367", "RHSA-2020:2483", "RHSA-2020:2487", "RHSA-2020:2506", "RHSA-2020:2509", "RHSA-2020:2511", "RHSA-2020:2512", "RHSA-2020:2513", "RHSA-2020:2515", "RHSA-2020:2529", "RHSA-2020:2530", "RHSA-2020:2603", "RHSA-2020:2779", "RHSA-2020:2780", "RHSA-2020:2781", "RHSA-2020:2783", "RHSA-2020:2813", "RHSA-2020:2840", "RHSA-2020:2905", "RHSA-2020:3017", "RHSA-2020:3141", "RHSA-2020:3142", "RHSA-2020:3143", "RHSA-2020:3144", "RHSA-2020:3192", "RHSA-2020:3196", "RHSA-2020:3197", "RHSA-2020:3303", "RHSA-2020:3305", "RHSA-2020:3306", "RHSA-2020:3308", "RHSA-2020:3369", "RHSA-2020:3372", "RHSA-2020:3382", "RHSA-2020:3383", "RHSA-2020:3461", "RHSA-2020:3462", "RHSA-2020:3463", "RHSA-2020:3464", "RHSA-2020:3501", "RHSA-2020:3539", "RHSA-2020:3578", "RHSA-2020:3585", "RHSA-2020:3637", "RHSA-2020:3638", "RHSA-2020:3639", "RHSA-2020:3642", "RHSA-2020:3665", "RHSA-2020:3727", "RHSA-2020:3730", "RHSA-2020:3731", "RHSA-2020:3779", "RHSA-2020:3780", "RHSA-2020:3783", "RHSA-2020:3806", "RHSA-2020:3817", "RHSA-2020:4004", "RHSA-2020:4214", "RHSA-2020:4244", "RHSA-2020:4245", "RHSA-2020:4246", "RHSA-2020:4247", "RHSA-2020:4252", "RHSA-2020:4256", "RHSA-2020:4257", "RHSA-2020:4297", "RHSA-2020:4298", "RHSA-2020:4344", "RHSA-2020:4366", "RHSA-2020:4694", "RHSA-2020:4807", "RHSA-2020:4847", "RHSA-2020:4922", "RHSA-2020:4923", "RHSA-2020:4931", "RHSA-2020:4960", "RHSA-2020:4961", "RHSA-2020:4978", "RHSA-2020:5020", "RHSA-2020:5054", "RHSA-2020:5055", "RHSA-2020:5056", "RHSA-2020:5149", "RHSA-2020:5168", "RHSA-2020:5170", "RHSA-2020:5173", "RHSA-2020:5174", "RHSA-2020:5175", "RHSA-2020:5198", "RHSA-2020:5254", "RHSA-2020:5302", "RHSA-2020:5340", "RHSA-2020:5341", "RHSA-2020:5342", "RHSA-2020:5344", "RHSA-2020:5361", "RHSA-2020:5365", "RHSA-2020:5388", "RHSA-2020:5410", "RHSA-2020:5533", "RHSA-2020:5568", "RHSA-2020:5605", "RHSA-2020:5606", "RHSA-2020:5633", "RHSA-2020:5635", "RHSA-2021:0084", "RHSA-2021:0246", "RHSA-2021:0247", "RHSA-2021:0248", "RHSA-2021:0250", "RHSA-2021:0292", "RHSA-2021:0295", "RHSA-2021:0327", "RHSA-2021:0329", "RHSA-2021:0420", "RHSA-2021:0433", "RHSA-2021:0600", "RHSA-2021:0603", "RHSA-2021:0719", "RHSA-2021:0799", "RHSA-2021:0811", "RHSA-2021:0872", "RHSA-2021:0873", "RHSA-2021:0874", "RHSA-2021:0882", "RHSA-2021:0885", "RHSA-2021:0974", "RHSA-2021:0980", "RHSA-2021:1004", "RHSA-2021:1030", "RHSA-2021:1044", "RHSA-2021:1129", "RHSA-2021:1168", "RHSA-2021:1313", "RHSA-2021:1369", "RHSA-2021:1401", "RHSA-2021:1509", "RHSA-2021:1551", "RHSA-2021:1552", "RHSA-2021:1560", "RHSA-2021:1561", "RHSA-2021:1775", "RHSA-2021:2039", "RHSA-2021:2046", "RHSA-2021:2047", "RHSA-2021:2048", "RHSA-2021:2051", "RHSA-2021:2139", "RHSA-2021:2210", "RHSA-2021:2431", "RHSA-2021:2461", "RHSA-2021:2475", "RHSA-2021:2476", "RHSA-2021:2499", "RHSA-2021:2517", "RHSA-2021:2561", "RHSA-2021:2562", "RHSA-2021:2689", "RHSA-2021:2755", "RHSA-2021:3205", "RHSA-2021:3207", "RHSA-2021:3225", "RHSA-2021:3425", "RHSA-2021:3656", "RHSA-2021:3658", "RHSA-2021:3660", "RHSA-2021:3700", "RHSA-2021:4100", "RHSA-2021:4767", "RHSA-2021:4918", "RHSA-2021:5134", "RHSA-2022:0722", "RHSA-2022:1860", "RHSA-2022:1861", "RHSA-2022:5458", "RHSA-2022:5459", "RHSA-2022:5460", "RHSA-2022:5532"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-18640", "RH:CVE-2017-5645", "RH:CVE-2019-12402", "RH:CVE-2019-14887", "RH:CVE-2019-16869", "RH:CVE-2019-17571", "RH:CVE-2019-20444", "RH:CVE-2019-20445", "RH:CVE-2020-10688", "RH:CVE-2020-10693", "RH:CVE-2020-10714", "RH:CVE-2020-10719", "RH:CVE-2020-11996", "RH:CVE-2020-13920", "RH:CVE-2020-13934", "RH:CVE-2020-13935", "RH:CVE-2020-13936", "RH:CVE-2020-13954", "RH:CVE-2020-13956", "RH:CVE-2020-14040", "RH:CVE-2020-14297", "RH:CVE-2020-14298", "RH:CVE-2020-14338", "RH:CVE-2020-14340", "RH:CVE-2020-14384", "RH:CVE-2020-1695", "RH:CVE-2020-1745", "RH:CVE-2020-17510", "RH:CVE-2020-17518", "RH:CVE-2020-1925", "RH:CVE-2020-1935", "RH:CVE-2020-1938", "RH:CVE-2020-25633", "RH:CVE-2020-25638", "RH:CVE-2020-25640", "RH:CVE-2020-25644", "RH:CVE-2020-26258", "RH:CVE-2020-26945", "RH:CVE-2020-27216", "RH:CVE-2020-28052", "RH:CVE-2020-5410", "RH:CVE-2020-5421", "RH:CVE-2020-6950", "RH:CVE-2020-7238", "RH:CVE-2020-9484", "RH:CVE-2021-25329", "RH:CVE-2021-27568", "RH:CVE-2021-27807", "RH:CVE-2021-27906", "RH:CVE-2021-28165", "RH:CVE-2022-23181"]}, {"type": "seebug", "idList": ["SSV:92965"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0345-1", "OPENSUSE-SU-2020:0597-1", "OPENSUSE-SU-2020:0711-1", "OPENSUSE-SU-2020:1051-1", "OPENSUSE-SU-2020:1063-1", "OPENSUSE-SU-2020:1102-1", "OPENSUSE-SU-2020:1111-1", "OPENSUSE-SU-2021:0140-1", "OPENSUSE-SU-2021:0447-1", "OPENSUSE-SU-2021:0496-1", "OPENSUSE-SU-2021:1876-1", "OPENSUSE-SU-2021:2005-1"]}, {"type": "symantec", "idList": ["SMNTC-111427", "SMNTC-111512", "SMNTC-1765", "SMNTC-17650", "SMNTC-97702"]}, {"type": "thn", "idList": ["THN:C6364AF85A1C10659ACD33775E77BDB6", "THN:EF08CCF54E69481550D84949A563BAD5"]}, {"type": "threatpost", "idList": ["THREATPOST:1586A7AFAD80F6833B8727AD8E03DB79", "THREATPOST:214533340038BB91553A4B59BF7E7E5A", "THREATPOST:313F32F60D9EA2BAD10FC02FD1936D67", "THREATPOST:3D576143F8EA06A1EACB6AEEAE147F1C", "THREATPOST:4397A021D669D8AF15AA58DF915F8BB6", "THREATPOST:5FB916D9A9E9391705A03D236B3C2870", "THREATPOST:6BEB55D8FA8C618B09A43D9F8FFB921B", "THREATPOST:EE9B6A926627297E472D038C8C507D06"]}, {"type": "tomcat", "idList": ["TOMCAT:0272BA84012892D369AEA1B59399E0A5", "TOMCAT:03526B264C3CCDD4C74F8B8FBF02E5E4", "TOMCAT:05A191E24B2303184CA1970729C00C81", "TOMCAT:134FFF2A5E889835054EC92E557C984D", "TOMCAT:36341E62C29FA8D208E5019D7D60DFC8", "TOMCAT:38E1DC5950ADDBB8A055F354B172C65E", "TOMCAT:47B91042927062AB4C945C176AD09B02", "TOMCAT:5240E60E42AA59815FABAFAFBE8E089C", "TOMCAT:664B7FB043CE1DA3FFE3E5FB72DB8E6D", "TOMCAT:72A659F35396F865D9A18EB5614CF486", "TOMCAT:75BDD1762995663D2613C2EC3D1F16DD", "TOMCAT:8A2C262DE6E0BAC59E53AD562A9743FE", "TOMCAT:9B658D22C08634C8C17F1EFEE3366D4D", "TOMCAT:A01991EC43D0F6A28E9CB4553C6B4670", "TOMCAT:BD106E970B6D4964B80C5CC3715C6DD2", "TOMCAT:BE665F9148D024F7474C0628515C3A37", "TOMCAT:C3F367059A3E9B8636ED41FF901D93F9", "TOMCAT:C5537152452B543D3F3B9565BB62CA70", "TOMCAT:C878975BAAD7823EE793B63FC6053125", "TOMCAT:CCAD5F704056771CAFA7305B5EB8A87E", "TOMCAT:D9EB0EA37A1698F04779A8D08F88C62E", "TOMCAT:E76617B2A121AAAE8F7420BCA50A252C"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:2CA47F0816E5DABCE6EBAF8E27EAF620"]}, {"type": "ubuntu", "idList": ["USN-4448-1", "USN-4532-1", "USN-4596-1", "USN-4600-1", "USN-4600-2", "USN-4714-1", "USN-4943-1", "USN-5360-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-18640", "UB:CVE-2017-5645", "UB:CVE-2019-12402", "UB:CVE-2019-16869", "UB:CVE-2019-20445", "UB:CVE-2020-10688", "UB:CVE-2020-10693", "UB:CVE-2020-10719", "UB:CVE-2020-11996", "UB:CVE-2020-13920", "UB:CVE-2020-13934", "UB:CVE-2020-13935", "UB:CVE-2020-13936", "UB:CVE-2020-13956", "UB:CVE-2020-14040", "UB:CVE-2020-14340", "UB:CVE-2020-1695", "UB:CVE-2020-17510", "UB:CVE-2020-1935", "UB:CVE-2020-1938", "UB:CVE-2020-25633", "UB:CVE-2020-25638", "UB:CVE-2020-26258", "UB:CVE-2020-27216", "UB:CVE-2020-28052", "UB:CVE-2020-5421", "UB:CVE-2020-6950", "UB:CVE-2020-7238", "UB:CVE-2020-9484", "UB:CVE-2021-25329", "UB:CVE-2021-27807", "UB:CVE-2021-27906", "UB:CVE-2021-28165", "UB:CVE-2022-23181"]}, {"type": "veracode", "idList": ["VERACODE:21389", "VERACODE:21582", "VERACODE:22289", "VERACODE:22406", "VERACODE:22411", "VERACODE:22499", "VERACODE:22569", "VERACODE:22571", "VERACODE:22785", "VERACODE:25388", "VERACODE:25443", "VERACODE:25469", "VERACODE:25501", "VERACODE:25566", "VERACODE:25666", "VERACODE:25694", "VERACODE:25773", "VERACODE:25888", "VERACODE:25889", "VERACODE:26342", "VERACODE:26733", "VERACODE:26747", "VERACODE:26780", "VERACODE:27514", "VERACODE:27558", "VERACODE:27560", "VERACODE:27572", "VERACODE:27573", "VERACODE:27597", "VERACODE:27671", "VERACODE:27833", "VERACODE:27879", "VERACODE:27979", "VERACODE:28627", "VERACODE:28637", "VERACODE:28904", "VERACODE:29541", "VERACODE:29554", "VERACODE:29563", "VERACODE:29743", "VERACODE:29772", "VERACODE:29816", "VERACODE:29925"]}]}, "score": {"value": 0.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "almalinux", "idList": ["ALSA-2020:4807", "ALSA-2021:1775"]}, {"type": "amazon", "idList": ["ALAS-2020-1352", "ALAS-2020-1353", "ALAS-2020-1472", "ALAS-2022-1562", "ALAS2-2020-1402", "ALAS2-2020-1449", "ALAS2-2020-1494"]}, {"type": "archlinux", "idList": ["ASA-202006-16", "ASA-202006-5", "ASA-202006-6", "ASA-202006-7"]}, {"type": "atlassian", "idList": ["ATLASSIAN:JRASERVER-71221"]}, {"type": "attackerkb", "idList": ["AKB:38F76C83-56D0-4112-A583-4513CC15B1B3", "AKB:770521DD-D057-4195-A187-66787A667266", "AKB:8AA21692-1900-4944-98AB-BEC257302198", "AKB:FB2F65B2-D10B-4622-AEE6-41AAD3C1E6E7"]}, {"type": "centos", "idList": ["CESA-2017:2423", "CESA-2020:2530", "CESA-2020:5020"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2013-2750", "CPAI-2020-0086", "CPAI-2020-1284", "CPAI-2020-3204"]}, {"type": "cisa", "idList": ["CISA:7E752ED3C4545FF8F72629B02D303E84", "CISA:918BA24AFBD99F0ED28F66A3212E3BA6"]}, {"type": "cve", "idList": ["CVE-2017-5645", "CVE-2019-14887", "CVE-2019-16869", "CVE-2020-10688", "CVE-2020-10719", "CVE-2020-11996", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-13954", "CVE-2020-13956", "CVE-2020-14340", "CVE-2020-1695", "CVE-2020-1935", "CVE-2020-1938", "CVE-2020-25638", "CVE-2020-25640", "CVE-2020-26258", "CVE-2020-28052", "CVE-2020-5410", "CVE-2020-6950", "CVE-2020-9484"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1941-1:FEB61", "DEBIAN:DLA-2109-1:DE8EC", "DEBIAN:DLA-2133-1:EFD3F", "DEBIAN:DLA-2209-1:84C77", "DEBIAN:DLA-2217-1:0ED90", "DEBIAN:DLA-2279-1:771F3", "DEBIAN:DSA-4908-1:0437F"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-5645", "DEBIANCVE:CVE-2020-13920", "DEBIANCVE:CVE-2020-28052"]}, {"type": "f5", "idList": ["F5:K23173103", "F5:K43709560", "F5:K53254186"]}, {"type": "fedora", "idList": ["FEDORA:0AC1C60C76B5", "FEDORA:341EA6057129", "FEDORA:376506075014", "FEDORA:76CFD605E21F", "FEDORA:A99066078F69", "FEDORA:EFDAB6050C3B"]}, {"type": "freebsd", "idList": ["20006B5F-A0BC-11EB-8AE6-FC4DD43E2B6A", "676CA486-9C1E-11EA-8B5E-B42E99A1B9C3", "E358B470-B37D-4E47-BC8A-2CD9ADBEB63C"]}, {"type": "gentoo", "idList": ["GLSA-202003-43"]}, {"type": "github", "idList": ["GHSA-29QJ-RVV6-QRMV", "GHSA-2H3J-M7GR-25XJ", "GHSA-32XF-JWMV-9HF3", "GHSA-344F-F5VG-2JFJ", "GHSA-53X6-4X5P-RRVV", "GHSA-5RCV-M4M3-HFH7", "GHSA-64X2-GQ24-75PV", "GHSA-73XV-W5GP-FRXH", "GHSA-7CJ4-GJ8M-M2F7", "GHSA-7R82-7XV7-XCPJ", "GHSA-C738-77X8-WMQ5", "GHSA-CCCF-7XW3-P2VR", "GHSA-HR32-MGPM-QF2F", "GHSA-P2V9-G2QV-P635", "GHSA-P979-4MFW-53VG", "GHSA-QQ48-M4JX-XQH8", "GHSA-QXF4-CHVG-4R8R", "GHSA-RMRM-75HP-PHR2", "GHSA-RV39-3QH7-9V7W", "GHSA-RVWF-54QP-4R6V", "GHSA-V528-7HRM-FRQP"]}, {"type": "githubexploit", "idList": ["0B52DD25-4874-54EB-8213-8FA10B0966A3", "0FF82942-18BE-564C-8559-A8747AF02003", "140968B5-6F8E-57C6-8A61-831D5FB78836", "14CD7401-C309-52B2-B4EE-AD54900F0455", "175F0524-E328-527F-BC58-2130DE4756FF", "18F5237C-DCAC-5831-AED6-F0880A11DFF2", "4149EA3B-6A39-507B-A34C-22418BD1F20A", "4278B435-D22E-57E8-ABC4-639BAAFA6FC9", "44298060-D70D-5668-B934-C6F101F4EF90", "504D019A-423C-50A0-9677-93192F0ECDFC", "5602A60A-886A-598C-99B3-EE2E820506AD", "6E0425A5-AA6D-5FC6-9F8C-415345C30DD5", "7130E91B-2DF2-565E-ADE8-4C60D45E5A4D", "72ACBBC1-E9FB-5A12-8614-06BEF5F96394", "743F51FB-8BF4-5425-AEFA-10B2A14C8F3B", "848A368C-4CEE-5324-BB29-1432453E3138", "92CE6110-40F8-5FE5-909B-BE6B59186578", "968DBE0A-CC05-5F47-B348-E8E33AA33F6C", "B0BA17F5-F171-5C97-9F6C-D5F38B5B64F5", "B3B326B1-29C1-5DA0-A61A-FF3C479779A6", "B41082A1-4177-53E2-A74C-8ABA13AA3E86", "BA9D322B-4694-5B07-BD2F-83E700A62DE8", "C2D99D6A-1A8C-5D55-BBB7-34A978AAC642", "C3759325-98F9-5F0F-98F5-6EAE787CE3FB", "C4EDB405-454C-5160-9A99-21A930740C3F", "D05BED3C-1405-5414-B868-D7E9E1AEC6EF", "D5CBA0E2-A4B0-52CE-B93B-F433CE8662DA", "E95D9A0E-E9DE-5D95-9879-E07C0257318C", "F60737C1-A24B-51C1-AE8D-73A65C778FFF", "F9061858-90CD-55ED-9193-068E2E50FF77"]}, {"type": "hackerone", "idList": ["H1:874427"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20200715-01-TOMACT"]}, {"type": "ibm", "idList": ["226FFFCDF94FA8471AA279C7EA3B887FAA510E3463B5ABDBC303B7D6583EE6BE", "643278CE1BB636D8764FFFB99832A74E1EB43BC79E059A2AF6DA2A9DF4BB4FCB", "9D10729AB8873D23F2244363D8A1DDDC6F4683B3420052FC513112D30B8E6FC8", "A545DB1C220C2CED88336E81FF848EF91603811394EF649FEC94F4D2653CBD45", "B0FF85DCDE8644B3484BD6CF258480DD40154E7BDFEEDF7A128BF747F3AC618F", "C0BDB67449527274F6BF935813A76F827DBFB1EAD61444E49DD24177F6B0ABE0", "D783A7F4DFFB9905E79E357ACA80CE9623FFC55147AEC4BAF71DFFC0CC45C9F3", "F479B1D4D6CE6F94562BE83AEBC7D30E6633A6727AB24138B99039D7EB3AB70F", "FBF04463FD979054AD645A3FD172D5826C3ABE6D6D2F80B590982B60B574F03D"]}, {"type": "jvn", "idList": ["JVN:90729322"]}, {"type": "kaspersky", "idList": ["KLA11679", "KLA11784", "KLA11785"]}, {"type": "kitploit", "idList": ["KITPLOIT:5420210148456420402"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/DEBIAN-CVE-2020-7238/", "MSF:ILITIES/RED_HAT-JBOSS_EAP-CVE-2020-14340/"]}, {"type": "myhack58", "idList": ["MYHACK58:62201785372"]}, {"type": "nessus", "idList": ["701350.PASL", "701351.PASL", "AL2_ALAS-2020-1402.NASL", "ALA_ALAS-2020-1352.NASL", "ALA_ALAS-2020-1353.NASL", "ALA_ALAS-2020-1472.NASL", "CENTOS8_RHSA-2021-1775.NASL", "CENTOS_RHSA-2020-5020.NASL", "DEBIAN_DLA-2109.NASL", "DEBIAN_DLA-2133.NASL", "DEBIAN_DLA-2209.NASL", "DEBIAN_DLA-2217.NASL", "DEBIAN_DLA-2279.NASL", "DEBIAN_DLA-2661.NASL", "DEBIAN_DSA-4908.NASL", "EULEROS_SA-2021-1858.NASL", "FEDORA_2017-11EDC0D6C3.NASL", "FEDORA_2017-B8358CDA24.NASL", "FEDORA_2020-239503F5FA.NASL", "FEDORA_2020-DF970DA9FC.NASL", "FREEBSD_PKG_20006B5FA0BC11EB8AE6FC4DD43E2B6A.NASL", "FREEBSD_PKG_676CA4869C1E11EA8B5EB42E99A1B9C3.NASL", "FREEBSD_PKG_E358B470B37D4E47BC8A2CD9ADBEB63C.NASL", "JFROG_ARTIFACTORY_7_10_1.NASL", "NEWSTART_CGSL_NS-SA-2020-0055_TOMCAT.NASL", "NEWSTART_CGSL_NS-SA-2020-0085_TOMCAT.NASL", "OPENSUSE-2020-345.NASL", "OPENSUSE-2020-711.NASL", "OPENSUSE-2021-855.NASL", "ORACLELINUX_ELSA-2017-2423.NASL", "ORACLELINUX_ELSA-2020-4807.NASL", "ORACLELINUX_ELSA-2020-5020.NASL", "ORACLE_NOSQL_CPU_APR_2021.NASL", "ORACLE_PRIMAVERA_UNIFIER_CPU_APR_2021.NASL", "ORACLE_RDBMS_CPU_APR_2021.NASL", "ORACLE_WEBCENTER_PORTAL_CPU_APR_2021.NASL", "PHOTONOS_PHSA-2020-1_0-0308_APACHE.NASL", "PHOTONOS_PHSA-2020-2_0-0248_APACHE.NASL", "PHOTONOS_PHSA-2020-3_0-0100_APACHE.NASL", "REDHAT-RHSA-2017-2423.NASL", "REDHAT-RHSA-2020-0605.NASL", "REDHAT-RHSA-2020-0804.NASL", "REDHAT-RHSA-2020-0805.NASL", "REDHAT-RHSA-2020-0806.NASL", "REDHAT-RHSA-2020-0855.NASL", "REDHAT-RHSA-2020-0861.NASL", "REDHAT-RHSA-2020-0912.NASL", "REDHAT-RHSA-2020-5020.NASL", "REDHAT-RHSA-2020-5054.NASL", "REDHAT-RHSA-2020-5055.NASL", "REDHAT-RHSA-2020-5056.NASL", "REDHAT-RHSA-2020-5168.NASL", "REDHAT-RHSA-2020-5170.NASL", "REDHAT-RHSA-2020-5175.NASL", "REDHAT-RHSA-2020-5340.NASL", "REDHAT-RHSA-2020-5341.NASL", "REDHAT-RHSA-2020-5342.NASL", "REDHAT-RHSA-2021-1030.NASL", "REDHAT-RHSA-2021-1509.NASL", "REDHAT-RHSA-2021-1551.NASL", "REDHAT-RHSA-2021-1775.NASL", "REDHAT-RHSA-2021-2046.NASL", "REDHAT-RHSA-2021-2047.NASL", "REDHAT-RHSA-2021-2048.NASL", "REDHAT_UPDATE_LEVEL.NASL", "SL_20170807_LOG4J_ON_SL7_X.NASL", "SL_20200317_TOMCAT_ON_SL7_X.NASL", "SL_20201110_TOMCAT_ON_SL7_X.NASL", "SUSE_SU-2020-1272-1.NASL", "SUSE_SU-2020-14334-1.NASL", "SUSE_SU-2020-14342-1.NASL", "SUSE_SU-2020-14375-1.NASL", "SUSE_SU-2021-1876-1.NASL", "SUSE_SU-2021-2005-1.NASL", "TOMCAT_10_0_0_M5.NASL", "TOMCAT_10_0_0_M6.NASL", "TOMCAT_10_0_2.NASL", "TOMCAT_7_0_104.NASL", "UBUNTU_USN-4596-1.NASL", "VIRTUOZZO_VZLSA-2020-5020.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310143545", "OPENVAS:1361412562310143549", "OPENVAS:1361412562310143550", "OPENVAS:1361412562310143963", "OPENVAS:1361412562310143964", "OPENVAS:1361412562310853073", "OPENVAS:1361412562310853179", "OPENVAS:1361412562310872637", "OPENVAS:1361412562310872638", "OPENVAS:1361412562310872757", "OPENVAS:1361412562310872759", "OPENVAS:1361412562310883204", "OPENVAS:1361412562310883212", "OPENVAS:1361412562310891941", "OPENVAS:1361412562310892109", "OPENVAS:1361412562310892133", "OPENVAS:1361412562310892209", "OPENVAS:1361412562310892217"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2022"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-2423", "ELSA-2020-2530", "ELSA-2020-4807", "ELSA-2020-5020"]}, {"type": "photon", "idList": ["PHSA-2020-0265", "PHSA-2020-1.0-0285", "PHSA-2020-1.0-0298", "PHSA-2020-1.0-0308", "PHSA-2020-1.0-0309", "PHSA-2020-2.0-0248", "PHSA-2020-2.0-0263", "PHSA-2020-2.0-0265", "PHSA-2020-3.0-0069", "PHSA-2020-3.0-0100", "PHSA-2020-3.0-0114", "PHSA-2020-3.0-0116"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0E0377FD948B0481F7D7DC678F26D14F", "QUALYSBLOG:BC451493BC4D8290B1A1CF86E18A6F98"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:1337FDDA53CBD823DC2468664817FC4E"]}, {"type": "redhat", "idList": ["RHSA-2017:2423", "RHSA-2020:0861", "RHSA-2020:3783", "RHSA-2020:3806", "RHSA-2020:5056", "RHSA-2020:5175", "RHSA-2020:5198", "RHSA-2020:5302", "RHSA-2021:2051", "RHSA-2021:4918"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-13936", "RH:CVE-2020-13954", "RH:CVE-2020-13956", "RH:CVE-2020-17510", "RH:CVE-2020-17518", "RH:CVE-2020-25638", "RH:CVE-2020-25644", "RH:CVE-2020-26945", "RH:CVE-2020-27216", "RH:CVE-2020-28052", "RH:CVE-2021-25329", "RH:CVE-2021-27568", "RH:CVE-2021-27807", "RH:CVE-2021-27906", "RH:CVE-2021-28165"]}, {"type": "seebug", "idList": ["SSV:92965"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0345-1", "OPENSUSE-SU-2020:0711-1"]}, {"type": "symantec", "idList": ["SMNTC-1765"]}, {"type": "thn", "idList": ["THN:C6364AF85A1C10659ACD33775E77BDB6"]}, {"type": "threatpost", "idList": ["THREATPOST:214533340038BB91553A4B59BF7E7E5A", "THREATPOST:313F32F60D9EA2BAD10FC02FD1936D67", "THREATPOST:5FB916D9A9E9391705A03D236B3C2870", "THREATPOST:EE9B6A926627297E472D038C8C507D06"]}, {"type": "tomcat", "idList": ["TOMCAT:5240E60E42AA59815FABAFAFBE8E089C"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:2CA47F0816E5DABCE6EBAF8E27EAF620"]}, {"type": "ubuntu", "idList": ["USN-4448-1", "USN-4532-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-10688", "UB:CVE-2020-14340", "UB:CVE-2021-28165"]}]}, "exploitation": null, "vulnersScore": 0.1}, "_state": {"dependencies": 1660032824, "score": 1660034803}, "_internal": {"score_hash": "63ce3be78638af7ecd7a38769ec53dbd"}, "affectedPackage": [], "vendorCvss": {"severity": "moderate"}}

{"redhat": [{"lastseen": "2021-10-19T20:36:08", "description": "Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform.\n\nThis release of Red Hat support for Spring Boot 2.2.6.SP2 serves as a replacement for Red Hat support for Spring Boot 2.2.6.SP1, and includes security and bug fixes and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* resteasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack (CVE-2020-10688)\n\n* hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693)\n\n* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n\n* tomcat: OutOfMemoryException caused by HTTP/2 connection leak could lead to DoS (CVE-2020-13934)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-09-23T16:23:17", "type": "redhat", "title": "(RHSA-2020:3806) Important: Red Hat support for Spring Boot 2.2.6.SP2 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10688", "CVE-2020-10693", "CVE-2020-13934", "CVE-2020-13935"], "modified": "2020-09-23T16:23:59", "id": "RHSA-2020:3806", "href": "https://access.redhat.com/errata/RHSA-2020:3806", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-10-19T20:38:18", "description": "Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. \n\nThis release of Red Hat Decision Manager 7.10.0 serves as an update to Red Hat Decision Manager 7.9.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* hibernate-core-kie-server-ee8: hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used (CVE-2020-25638)\n\n* httpclient: apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)\n\n* xercesimpl: wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl (CVE-2020-14338)\n\n* log4j-core: log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.2}, "published": "2021-02-17T13:36:01", "type": "redhat", "title": "(RHSA-2021:0603) Important: Red Hat Decision Manager 7.10.0 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13956", "CVE-2020-14338", "CVE-2020-25638", "CVE-2020-9488"], "modified": "2021-02-17T13:36:54", "id": "RHSA-2021:0603", "href": "https://access.redhat.com/errata/RHSA-2021:0603", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-10-19T20:37:53", "description": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis release of Red Hat Process Automation Manager 7.10.0 serves as an update to Red Hat Process Automation Manager 7.9.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* hibernate-core-kie-server-ee8: hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used (CVE-2020-25638)\n\n* xercesimpl: wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl (CVE-2020-14338)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.2}, "published": "2021-02-17T10:00:13", "type": "redhat", "title": "(RHSA-2021:0600) Important: Red Hat Process Automation Manager 7.10.0 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14338", "CVE-2020-25638"], "modified": "2021-02-17T12:04:36", "id": "RHSA-2021:0600", "href": "https://access.redhat.com/errata/RHSA-2021:0600", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-10-19T20:39:25", "description": "This release of Red Hat build of Thorntail 2.7.2 includes security updates, bug fixes, and enhancements. For more information, see the release notes listed in the References section.\n\nSecurity Fix(es):\n\n* picketbox: JBoss EAP reload to admin-only mode allows authentication bypass (CVE-2020-14299)\n\n* xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS (CVE-2020-14340)\n\n* wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl (CVE-2020-14338)\n\n* hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used \n(CVE-2020-25638)\n\n* jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) (CVE-2020-25649)\n\nFor more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-16T07:16:20", "type": "redhat", "title": "(RHSA-2020:5361) Important: Red Hat build of Thorntail 2.7.2 security and bug fix update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 6.3, "vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14299", "CVE-2020-14338", "CVE-2020-14340", "CVE-2020-25638", "CVE-2020-25649"], "modified": "2020-12-16T07:17:11", "id": "RHSA-2020:5361", "href": "https://access.redhat.com/errata/RHSA-2020:5361", "cvss": {"score": 6.3, "vector": "AV:N/AC:M/Au:S/C:N/I:N/A:C"}}, {"lastseen": "2021-10-19T20:39:14", "description": "Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform.\n\nThis release of Red Hat support for Spring Boot 2.2.11 serves as a replacement for Red Hat support for Spring Boot 2.2.10, and includes security and bug fixes and enhancements. For more information, see the release notes listed in the References section.\n\nSecurity Fix(es):\n\n * hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used (CVE-2020-25638)\n\n * tomcat: specially crafted sequence of HTTP/2 requests can lead to DoS (CVE-2020-11996)\n\nFor more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-01-07T11:45:22", "type": "redhat", "title": "(RHSA-2020:5388) Important: Red Hat support for Spring Boot 2.2.11 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11996", "CVE-2020-25638"], "modified": "2021-01-07T11:46:05", "id": "RHSA-2020:5388", "href": "https://access.redhat.com/errata/RHSA-2020:5388", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-10-19T20:36:39", "description": "Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform.\n\nThis release of Red Hat support for Spring Boot 2.3.6 serves as a replacement for Red Hat support for Spring Boot 2.3.4, and includes security and bug fixes and enhancements. For more information, see the release notes listed in the References section.\n\nSecurity Fix(es):\n\n* hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used (CVE-2020-25638)\n\n* tomcat: specially crafted sequence of HTTP/2 requests can lead to DoS (CVE-2020-11996)\n\nFor more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-02-02T10:21:06", "type": "redhat", "title": "(RHSA-2021:0292) Important: Red Hat support for Spring Boot 2.3.6 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11996", "CVE-2020-25638"], "modified": "2021-02-02T10:21:46", "id": "RHSA-2021:0292", "href": "https://access.redhat.com/errata/RHSA-2021:0292", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-10-19T20:38:42", "description": "A minor version update (from 1.3 to 1.4) is now available for Red Hat Camel K that includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* cron-utils: template injection allows attackers to inject arbitrary Java EL expressions leading to remote code execution (CVE-2020-26238)\n\n* californium-core: DTLS - DoS vulnerability for certificate based handshakes (CVE-2020-27222)\n\n* undertow: special character in query results in server errors (CVE-2020-27782)\n\n* bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible (CVE-2020-28052)\n\n* activemq: improper authentication allows MITM attack (CVE-2020-13920)\n\n* flink: apache-flink: directory traversal attack allows remote file writing through the REST API (CVE-2020-17518)\n\n* groovy: OS temporary directory leads to information disclosure (CVE-2020-17521)\n\n* kubernetes-client: fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise (CVE-2021-20218)\n\n* pdfbox: infinite loop while loading a crafted PDF file (CVE-2021-27807)\n\n* cxf-rt-rs-json-basic: CXF: Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter (CVE-2021-30468)\n\n* kotlin-scripting-jvm: kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure (CVE-2020-29582)\n\n* pdfbox: OutOfMemory-Exception while loading a crafted PDF file (CVE-2021-27906)\n\n* pdfbox: OutOfMemory-Exception while loading a crafted PDF file (CVE-2021-31811)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-18T09:09:40", "type": "redhat", "title": "(RHSA-2021:3205) Moderate: Red Hat Integration Camel-K 1.4 release and security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13920", "CVE-2020-13954", "CVE-2020-17518", "CVE-2020-17521", "CVE-2020-26217", "CVE-2020-26238", "CVE-2020-26258", "CVE-2020-26259", "CVE-2020-27222", "CVE-2020-27782", "CVE-2020-28052", "CVE-2020-29582", "CVE-2021-20218", "CVE-2021-22118", "CVE-2021-27807", "CVE-2021-27906", "CVE-2021-30468", "CVE-2021-31811"], "modified": "2021-10-18T13:51:49", "id": "RHSA-2021:3205", "href": "https://access.redhat.com/errata/RHSA-2021:3205", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-19T20:40:54", "description": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 5.3.2 serves as a replacement for Red Hat JBoss Web Server 5.3.1, and includes bug fixes, enhancements, and component upgrades, which are documented in the Release Notes, linked to in the References.\n\nSecurity Fix(es):\n\n* tomcat: OutOfMemoryException caused by HTTP/2 connection leak could lead to DoS (CVE-2020-13934)\n* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-08-04T11:21:34", "type": "redhat", "title": "(RHSA-2020:3306) Important: Red Hat JBoss Web Server 5.3.2 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13934", "CVE-2020-13935"], "modified": "2020-08-04T11:25:28", "id": "RHSA-2020:3306", "href": "https://access.redhat.com/errata/RHSA-2020:3306", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-10-19T20:35:38", "description": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 5.3.2 serves as a replacement for Red Hat JBoss Web Server 5.3.1, and includes bug fixes, enhancements, and component upgrades, which are documented in the Release Notes, linked to in the References.\n\nSecurity Fix(es):\n\n* tomcat: OutOfMemoryException caused by HTTP/2 connection leak could lead to DoS (CVE-2020-13934)\n* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935) \n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-08-04T11:35:57", "type": "redhat", "title": "(RHSA-2020:3308) Important: Red Hat JBoss Web Server 5.3.2 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13934", "CVE-2020-13935"], "modified": "2020-08-04T11:36:39", "id": "RHSA-2020:3308", "href": "https://access.redhat.com/errata/RHSA-2020:3308", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-10-19T20:36:17", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.3.5 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.4, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.5 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* wildfly: Potential Memory leak in Wildfly when using OpenTracing (CVE-2020-27822)\n\n* undertow: special character in query results in server errors (CVE-2020-27782)\n\n* wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller (CVE-2020-25689)\n\n* httpclient: apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)\n\n* wildfly: resource adapter logs plaintext JMS password at warning level on connection error (CVE-2020-25640)\n\n* resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling (CVE-2020-25633)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-01-25T16:11:00", "type": "redhat", "title": "(RHSA-2021:0247) Important: Red Hat JBoss Enterprise Application Platform 7.3.5 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13956", "CVE-2020-25633", "CVE-2020-25640", "CVE-2020-25689", "CVE-2020-27782", "CVE-2020-27822"], "modified": "2021-01-25T16:23:52", "id": "RHSA-2021:0247", "href": "https://access.redhat.com/errata/RHSA-2021:0247", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-10-19T20:36:18", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.3.5 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.4, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise\nApplication Platform 7.3.5 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* wildfly: Potential Memory leak in Wildfly when using OpenTracing (CVE-2020-27822)\n\n* undertow: special character in query results in server errors (CVE-2020-27782)\n\n* wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller (CVE-2020-25689)\n\n* httpclient: apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)\n\n* wildfly: resource adapter logs plaintext JMS password at warning level on connection error (CVE-2020-25640)\n\n* resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling (CVE-2020-25633)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-01-25T16:11:15", "type": "redhat", "title": "(RHSA-2021:0248) Important: Red Hat JBoss Enterprise Application Platform 7.3.5 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13956", "CVE-2020-25633", "CVE-2020-25640", "CVE-2020-25689", "CVE-2020-27782", "CVE-2020-27822"], "modified": "2021-01-25T16:23:07", "id": "RHSA-2021:0248", "href": "https://access.redhat.com/errata/RHSA-2021:0248", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-10-19T20:40:18", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.3.5 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.4, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.5 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* wildfly: Potential Memory leak in Wildfly when using OpenTracing (CVE-2020-27822)\n\n* undertow: special character in query results in server errors (CVE-2020-27782)\n\n* wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller (CVE-2020-25689)\n\n* httpclient: apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)\n\n* wildfly: resource adapter logs plaintext JMS password at warning level on connection error (CVE-2020-25640)\n\n* resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling (CVE-2020-25633)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-01-25T16:13:53", "type": "redhat", "title": "(RHSA-2021:0250) Important: Red Hat JBoss Enterprise Application Platform 7.3.5 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13956", "CVE-2020-25633", "CVE-2020-25640", "CVE-2020-25689", "CVE-2020-27782", "CVE-2020-27822"], "modified": "2021-01-25T16:15:40", "id": "RHSA-2021:0250", "href": "https://access.redhat.com/errata/RHSA-2021:0250", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-10-19T20:36:32", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.3.5 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.4, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.5 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* wildfly: Potential Memory leak in Wildfly when using OpenTracing (CVE-2020-27822)\n\n* undertow: special character in query results in server errors (CVE-2020-27782)\n\n* wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller (CVE-2020-25689)\n\n* httpclient: apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)\n\n* wildfly: resource adapter logs plaintext JMS password at warning level on connection error (CVE-2020-25640)\n\n* resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling (CVE-2020-25633)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-01-25T16:10:47", "type": "redhat", "title": "(RHSA-2021:0246) Important: Red Hat JBoss Enterprise Application Platform 7.3.5 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13956", "CVE-2020-25633", "CVE-2020-25640", "CVE-2020-25689", "CVE-2020-27782", "CVE-2020-27822"], "modified": "2021-01-25T16:22:10", "id": "RHSA-2021:0246", "href": "https://access.redhat.com/errata/RHSA-2021:0246", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-10-19T20:39:33", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.3.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.3, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\n* jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (CVE-2020-25649)\n\n* hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used (CVE-2020-25638)\n\n* wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-03T19:07:56", "type": "redhat", "title": "(RHSA-2020:5341) Important: Red Hat JBoss Enterprise Application Platform 7.3.4 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25638", "CVE-2020-25644", "CVE-2020-25649"], "modified": "2020-12-03T19:10:42", "id": "RHSA-2020:5341", "href": "https://access.redhat.com/errata/RHSA-2020:5341", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-10-19T20:38:27", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.3.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.3, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (CVE-2020-25649)\n\n* hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used (CVE-2020-25638)\n\n* wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-03T19:08:22", "type": "redhat", "title": "(RHSA-2020:5342) Important: Red Hat JBoss Enterprise Application Platform 7.3.4 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25638", "CVE-2020-25644", "CVE-2020-25649"], "modified": "2020-12-03T19:10:49", "id": "RHSA-2020:5342", "href": "https://access.redhat.com/errata/RHSA-2020:5342", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-10-19T20:40:47", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.3.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.3, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (CVE-2020-25649)\n\n* hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used (CVE-2020-25638)\n\n* wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-03T19:08:45", "type": "redhat", "title": "(RHSA-2020:5344) Important: Red Hat JBoss Enterprise Application Platform 7.3.4 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25638", "CVE-2020-25644", "CVE-2020-25649"], "modified": "2020-12-03T19:09:40", "id": "RHSA-2020:5344", "href": "https://access.redhat.com/errata/RHSA-2020:5344", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-10-19T20:39:52", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.3.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.3, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.4 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (CVE-2020-25649)\n\n* hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used (CVE-2020-25638)\n\n* wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-03T19:05:33", "type": "redhat", "title": "(RHSA-2020:5340) Important: Red Hat JBoss Enterprise Application Platform 7.3.4 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25638", "CVE-2020-25644", "CVE-2020-25649"], "modified": "2020-12-03T19:08:06", "id": "RHSA-2020:5340", "href": "https://access.redhat.com/errata/RHSA-2020:5340", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-10-19T20:40:38", "description": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 10 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n* tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling (CVE-2020-1935) \n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-08-04T11:13:36", "type": "redhat", "title": "(RHSA-2020:3305) Important: Red Hat JBoss Web Server 3.1 Service Pack 10 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13935", "CVE-2020-1935"], "modified": "2020-08-04T11:14:18", "id": "RHSA-2020:3305", "href": "https://access.redhat.com/errata/RHSA-2020:3305", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-10-19T20:40:09", "description": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 10 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n* tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling (CVE-2020-1935)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-08-04T11:06:33", "type": "redhat", "title": "(RHSA-2020:3303) Important: Red Hat JBoss Web Server 3.1 Service Pack 10 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13935", "CVE-2020-1935"], "modified": "2020-08-04T11:08:59", "id": "RHSA-2020:3303", "href": "https://access.redhat.com/errata/RHSA-2020:3303", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-10-19T20:38:44", "description": "Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.4.5 serves as a replacement for Red Hat Single Sign-On 7.4.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* undertow: special character in query results in server errors (CVE-2020-27782)\n\n* keycloak: Default Client configuration is vulnerable to SSRF using \"request_uri\" parameter (CVE-2020-10770)\n\n* apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)\n\n* wildfly: resource adapter logs plaintext JMS password at warning level on connection error (CVE-2020-25640)\n\n* wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller (CVE-2020-25689)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-02-01T18:52:18", "type": "redhat", "title": "(RHSA-2021:0327) Important: Red Hat Single Sign-On 7.4.5 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10770", "CVE-2020-13956", "CVE-2020-25633", "CVE-2020-25640", "CVE-2020-25689", "CVE-2020-27782", "CVE-2020-27822"], "modified": "2021-02-17T12:03:31", "id": "RHSA-2021:0327", "href": "https://access.redhat.com/errata/RHSA-2021:0327", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-10-19T20:40:26", "description": "This release of Red Hat Integration - Service registry 1.1.1.GA serves as a replacement for 1.1.0.GA, and includes the below security fixes.\n\nSecurity Fix(es):\n\n* hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used (CVE-2020-25638)\n\n* jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) (CVE-2020-25649)\n\n* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-05-19T07:40:35", "type": "redhat", "title": "(RHSA-2021:2039) Moderate: Service Registry (container images) release and security update [1.1.1.GA]", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14040", "CVE-2020-25638", "CVE-2020-25649"], "modified": "2021-05-19T07:44:30", "id": "RHSA-2021:2039", "href": "https://access.redhat.com/errata/RHSA-2021:2039", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-10-19T20:36:09", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.3.3 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.2 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.3 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* picketbox: JBoss EAP reload to admin-only mode allows authentication bypass (CVE-2020-14299)\n\n* wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl (CVE-2020-14338)\n\n* xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS (CVE-2020-14340)\n\n* cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-10-13T16:38:53", "type": "redhat", "title": "(RHSA-2020:4245) Moderate: Red Hat JBoss Enterprise Application Platform 7.3.3 security update on RHEL 8", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 6.3, "vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14299", "CVE-2020-14338", "CVE-2020-14340", "CVE-2020-1954"], "modified": "2020-10-13T16:41:26", "id": "RHSA-2020:4245", "href": "https://access.redhat.com/errata/RHSA-2020:4245", "cvss": {"score": 6.3, "vector": "AV:N/AC:M/Au:S/C:N/I:N/A:C"}}, {"lastseen": "2021-10-19T20:39:46", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.3.3 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.2 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.3 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* picketbox: JBoss EAP reload to admin-only mode allows authentication bypass (CVE-2020-14299)\n\n* wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl (CVE-2020-14338)\n\n* xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS (CVE-2020-14340)\n\n* cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-10-13T16:37:57", "type": "redhat", "title": "(RHSA-2020:4244) Moderate: Red Hat JBoss Enterprise Application Platform 7.3.3 security update on RHEL 6", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 6.3, "vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14299", "CVE-2020-14338", "CVE-2020-14340", "CVE-2020-1954"], "modified": "2020-10-13T16:41:05", "id": "RHSA-2020:4244", "href": "https://access.redhat.com/errata/RHSA-2020:4244", "cvss": {"score": 6.3, "vector": "AV:N/AC:M/Au:S/C:N/I:N/A:C"}}, {"lastseen": "2021-10-19T20:36:41", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.3.3 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.2 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.3 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* picketbox: JBoss EAP reload to admin-only mode allows authentication bypass (CVE-2020-14299)\n\n* wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl (CVE-2020-14338)\n\n* xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS (CVE-2020-14340)\n\n* cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-10-13T16:44:32", "type": "redhat", "title": "(RHSA-2020:4247) Moderate: Red Hat JBoss Enterprise Application Platform 7.3.3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 6.3, "vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14299", "CVE-2020-14338", "CVE-2020-14340", "CVE-2020-1954"], "modified": "2020-10-13T16:45:37", "id": "RHSA-2020:4247", "href": "https://access.redhat.com/errata/RHSA-2020:4247", "cvss": {"score": 6.3, "vector": "AV:N/AC:M/Au:S/C:N/I:N/A:C"}}, {"lastseen": "2021-10-19T20:39:02", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.3.3 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.2 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.3 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* picketbox: JBoss EAP reload to admin-only mode allows authentication bypass (CVE-2020-14299)\n\n* wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl (CVE-2020-14338)\n\n* xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS (CVE-2020-14340)\n\n* cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-10-13T16:39:17", "type": "redhat", "title": "(RHSA-2020:4246) Moderate: Red Hat JBoss Enterprise Application Platform 7.3.3 security update on RHEL 7", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 6.3, "vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14299", "CVE-2020-14338", "CVE-2020-14340", "CVE-2020-1954"], "modified": "2020-10-13T16:41:50", "id": "RHSA-2020:4246", "href": "https://access.redhat.com/errata/RHSA-2020:4246", "cvss": {"score": 6.3, "vector": "AV:N/AC:M/Au:S/C:N/I:N/A:C"}}, {"lastseen": "2021-10-19T20:40:30", "description": "This release of Red Hat build of Thorntail 2.7.3 includes security updates, bug fixes, and enhancements. For more information, see the release notes listed in the References section.\n\nSecurity Fix(es):\n\n* resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling (CVE-2020-25633)\n\n* wildfly: resource adapter logs plaintext JMS password at warning level on connection error (CVE-2020-25640)\n\n* wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller (CVE-2020-25689)\n\n* undertow: special character in query results in server errors (CVE-2020-27782)\n\n* wildfly: Potential Memory leak in Wildfly when using OpenTracing (CVE-2020-27822)\n\nFor more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-02-08T09:02:45", "type": "redhat", "title": "(RHSA-2021:0295) Important: Red Hat build of Thorntail 2.7.3 security and bug fix update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25633", "CVE-2020-25640", "CVE-2020-25689", "CVE-2020-27782", "CVE-2020-27822"], "modified": "2021-02-08T09:03:26", "id": "RHSA-2021:0295", "href": "https://access.redhat.com/errata/RHSA-2021:0295", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-10-19T20:38:15", "description": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 5.5.0 serves as a replacement for Red Hat JBoss Web Server 5.4.2, and includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References.\n\nSecurity Fix(es):\n\n* hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used (CVE-2020-25638)\n* tomcat: Request mix-up with h2c (CVE-2021-25122)\n* tomcat: Incomplete fix for CVE-2020-9484 (RCE via session persistence) (CVE-2021-25329)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-06-29T08:35:57", "type": "redhat", "title": "(RHSA-2021:2562) Moderate: Red Hat JBoss Web Server 5.5.0 security release", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25638", "CVE-2020-9484", "CVE-2021-25122", "CVE-2021-25329"], "modified": "2021-06-29T08:36:34", "id": "RHSA-2021:2562", "href": "https://access.redhat.com/errata/RHSA-2021:2562", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-10-19T20:39:42", "description": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 5.5.0 serves as a replacement for Red Hat JBoss Web Server 5.4.2, and includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References.\n\nSecurity Fix(es):\n\n* hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used (CVE-2020-25638)\n* tomcat: Request mix-up with h2c (CVE-2021-25122)\n* tomcat: Incomplete fix for CVE-2020-9484 (RCE via session persistence) (CVE-2021-25329)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-06-29T08:34:12", "type": "redhat", "title": "(RHSA-2021:2561) Moderate: Red Hat JBoss Web Server 5.5.0 Security release", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25638", "CVE-2020-9484", "CVE-2021-25122", "CVE-2021-25329"], "modified": "2021-06-29T08:47:38", "id": "RHSA-2021:2561", "href": "https://access.redhat.com/errata/RHSA-2021:2561", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-10-19T20:37:57", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.3.\n\nSecurity Fix(es):\n\n* wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-11-04T15:30:10", "type": "redhat", "title": "(RHSA-2020:4923) Important: Red Hat JBoss Enterprise Application Platform 7.3.3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25644"], "modified": "2020-11-04T15:31:06", "id": "RHSA-2020:4923", "href": "https://access.redhat.com/errata/RHSA-2020:4923", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-10-19T20:37:49", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 6, 7, and 8.\n\nSecurity Fix(es):\n\n* wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-11-04T15:29:41", "type": "redhat", "title": "(RHSA-2020:4922) Important: Red Hat JBoss Enterprise Application Platform 7.3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25644"], "modified": "2020-11-04T15:34:39", "id": "RHSA-2020:4922", "href": "https://access.redhat.com/errata/RHSA-2020:4922", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-10-19T20:40:10", "description": "Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nSecurity Fix:\n\n* wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-11-09T12:00:51", "type": "redhat", "title": "(RHSA-2020:4978) Important: Red Hat Single Sign-On 7.4.3 one-off security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25644"], "modified": "2020-11-09T12:01:38", "id": "RHSA-2020:4978", "href": "https://access.redhat.com/errata/RHSA-2020:4978", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-10-19T20:40:26", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 6, 7, and 8.\n\nSecurity Fix(es):\n\n* wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-10-14T15:38:12", "type": "redhat", "title": "(RHSA-2020:4256) Important: Red Hat JBoss Enterprise Application Platform 7.3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25644"], "modified": "2020-10-14T15:43:31", "id": "RHSA-2020:4256", "href": "https://access.redhat.com/errata/RHSA-2020:4256", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-10-19T20:37:06", "description": "Red Hat JBoss Enterprise Application Platform 7.3 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.3.\n\nSecurity Fix(es):\n\n* wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-10-14T15:38:17", "type": "redhat", "title": "(RHSA-2020:4257) Important: Red Hat JBoss Enterprise Application Platform 7.3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25644"], "modified": "2020-10-14T15:39:00", "id": "RHSA-2020:4257", "href": "https://access.redhat.com/errata/RHSA-2020:4257", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "debian": [{"lastseen": "2022-02-17T11:32:21", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4727-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJuly 17, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : tomcat9\nCVE ID : CVE-2020-9484 CVE-2020-11996 CVE-2020-13934 CVE-2020-13935\n\nSeveral vulnerabilities were discovered in the Tomcat servlet and JSP\nengine, which could result in code execution or denial of service.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 9.0.31-1~deb10u2.\n\nWe recommend that you upgrade your tomcat9 packages.\n\nFor the detailed security status of tomcat9 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/tomcat9\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-07-17T18:07:40", "type": "debian", "title": "[SECURITY] [DSA 4627-1] tomcat9 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11996", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-9484"], "modified": "2020-07-17T18:07:40", "id": "DEBIAN:DSA-4627-1:1B266", "href": "https://lists.debian.org/debian-security-announce/2020/msg00133.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-10-22T12:19:54", "description": "Package : tomcat8\nVersion : 8.0.14-1+deb8u17\nCVE ID : CVE-2019-17563 CVE-2020-1935 CVE-2020-1938\n CVE-2020-9484\nDebian Bug : 961209 952436 952437 952438\n\n\nSeveral security vulnerabilities have been discovered in the Tomcat\nservlet and JSP engine.\n\nWARNING: The fix for CVE-2020-1938 may disrupt services that rely on a\nworking AJP configuration. The option secretRequired defaults to true\nnow. You should define a secret in your server.xml or you can revert\nback by setting secretRequired to false.\n\n\nCVE-2019-17563\n\n When using FORM authentication with Apache Tomcat there was a narrow\n window where an attacker could perform a session fixation attack.\n The window was considered too narrow for an exploit to be practical\n but, erring on the side of caution, this issue has been treated as a\n security vulnerability.\n\nCVE-2020-1935\n\n In Apache Tomcat the HTTP header parsing code used an approach to\n end-of-line parsing that allowed some invalid HTTP headers to be\n parsed as valid. This led to a possibility of HTTP Request Smuggling\n if Tomcat was located behind a reverse proxy that incorrectly\n handled the invalid Transfer-Encoding header in a particular manner.\n Such a reverse proxy is considered unlikely.\n\nCVE-2020-1938\n\n When using the Apache JServ Protocol (AJP), care must be taken when\n trusting incoming connections to Apache Tomcat. Tomcat treats AJP\n connections as having higher trust than, for example, a similar HTTP\n connection. If such connections are available to an attacker, they\n can be exploited in ways that may be surprising. Previously Tomcat\n shipped with an AJP Connector enabled by default that listened on\n all configured IP addresses. It was expected (and recommended in the\n security guide) that this Connector would be disabled if not\n required.\n .\n Note that Debian already disabled the AJP connector by default.\n Mitigation is only required if the AJP port was made accessible to\n untrusted users.\n\nCVE-2020-9484\n\n When using Apache Tomcat and an attacker is able to control the\n contents and name of a file on the server; and b) the server is\n configured to use the PersistenceManager with a FileStore; and c)\n the PersistenceManager is configured with\n sessionAttributeValueClassNameFilter="null" (the default unless a\n SecurityManager is used) or a sufficiently lax filter to allow the\n attacker provided object to be deserialized; and d) the attacker\n knows the relative file path from the storage location used by\n FileStore to the file the attacker has control over; then, using a\n specifically crafted request, the attacker will be able to trigger\n remote code execution via deserialization of the file under their\n control. Note that all of conditions a) to d) must be true for the\n attack to succeed.\n\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n8.0.14-1+deb8u17.\n\nWe recommend that you upgrade your tomcat8 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-28T17:53:49", "type": "debian", "title": "[SECURITY] [DLA 2209-1] tomcat8 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17563", "CVE-2020-1935", "CVE-2020-1938", "CVE-2020-9484"], "modified": "2020-05-28T17:53:49", "id": "DEBIAN:DLA-2209-1:D154F", "href": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-26T19:13:25", "description": "Package : tomcat8\nVersion : 8.0.14-1+deb8u17\nCVE ID : CVE-2019-17563 CVE-2020-1935 CVE-2020-1938\n CVE-2020-9484\nDebian Bug : 961209 952436 952437 952438\n\n\nSeveral security vulnerabilities have been discovered in the Tomcat\nservlet and JSP engine.\n\nWARNING: The fix for CVE-2020-1938 may disrupt services that rely on a\nworking AJP configuration. The option secretRequired defaults to true\nnow. You should define a secret in your server.xml or you can revert\nback by setting secretRequired to false.\n\n\nCVE-2019-17563\n\n When using FORM authentication with Apache Tomcat there was a narrow\n window where an attacker could perform a session fixation attack.\n The window was considered too narrow for an exploit to be practical\n but, erring on the side of caution, this issue has been treated as a\n security vulnerability.\n\nCVE-2020-1935\n\n In Apache Tomcat the HTTP header parsing code used an approach to\n end-of-line parsing that allowed some invalid HTTP headers to be\n parsed as valid. This led to a possibility of HTTP Request Smuggling\n if Tomcat was located behind a reverse proxy that incorrectly\n handled the invalid Transfer-Encoding header in a particular manner.\n Such a reverse proxy is considered unlikely.\n\nCVE-2020-1938\n\n When using the Apache JServ Protocol (AJP), care must be taken when\n trusting incoming connections to Apache Tomcat. Tomcat treats AJP\n connections as having higher trust than, for example, a similar HTTP\n connection. If such connections are available to an attacker, they\n can be exploited in ways that may be surprising. Previously Tomcat\n shipped with an AJP Connector enabled by default that listened on\n all configured IP addresses. It was expected (and recommended in the\n security guide) that this Connector would be disabled if not\n required.\n .\n Note that Debian already disabled the AJP connector by default.\n Mitigation is only required if the AJP port was made accessible to\n untrusted users.\n\nCVE-2020-9484\n\n When using Apache Tomcat and an attacker is able to control the\n contents and name of a file on the server; and b) the server is\n configured to use the PersistenceManager with a FileStore; and c)\n the PersistenceManager is configured with\n sessionAttributeValueClassNameFilter="null" (the default unless a\n SecurityManager is used) or a sufficiently lax filter to allow the\n attacker provided object to be deserialized; and d) the attacker\n knows the relative file path from the storage location used by\n FileStore to the file the attacker has control over; then, using a\n specifically crafted request, the attacker will be able to trigger\n remote code execution via deserialization of the file under their\n control. Note that all of conditions a) to d) must be true for the\n attack to succeed.\n\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n8.0.14-1+deb8u17.\n\nWe recommend that you upgrade your tomcat8 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-28T17:53:49", "type": "debian", "title": "[SECURITY] [DLA 2209-1] tomcat8 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17563", "CVE-2020-1935", "CVE-2020-1938", "CVE-2020-9484"], "modified": "2020-05-28T17:53:49", "id": "DEBIAN:DLA-2209-1:84C77", "href": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T11:20:10", "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2286-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Markus Koschany\nJuly 22, 2020 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : tomcat8\nVersion : 8.5.54-0+deb9u3\nCVE ID : CVE-2020-13934 CVE-2020-13935\n\nSeveral security vulnerabilities have been discovered in the Tomcat\nservlet and JSP engine.\n\nCVE-2020-13934\n\n An h2c direct connection to Apache Tomcat did not release the\n HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient\n number of such requests were made, an OutOfMemoryException could\n occur leading to a denial of service.\n\nCVE-2020-13935\n\n The payload length in a WebSocket frame was not correctly validated\n in Apache Tomcat. Invalid payload lengths could trigger an infinite\n loop. Multiple requests with invalid payload lengths could lead to a\n denial of service.\n\nFor Debian 9 stretch, these problems have been fixed in version\n8.5.54-0+deb9u3.\n\nWe recommend that you upgrade your tomcat8 packages.\n\nFor the detailed security status of tomcat8 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/tomcat8\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-07-22T16:39:36", "type": "debian", "title": "[SECURITY] [DLA 2286-1] tomcat8 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13934", "CVE-2020-13935"], "modified": "2020-07-22T16:39:36", "id": "DEBIAN:DLA-2286-1:A2783", "href": "https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-11-30T15:14:09", "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2286-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Markus Koschany\nJuly 22, 2020 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : tomcat8\nVersion : 8.5.54-0+deb9u3\nCVE ID : CVE-2020-13934 CVE-2020-13935\n\nSeveral security vulnerabilities have been discovered in the Tomcat\nservlet and JSP engine.\n\nCVE-2020-13934\n\n An h2c direct connection to Apache Tomcat did not release the\n HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient\n number of such requests were made, an OutOfMemoryException could\n occur leading to a denial of service.\n\nCVE-2020-13935\n\n The payload length in a WebSocket frame was not correctly validated\n in Apache Tomcat. Invalid payload lengths could trigger an infinite\n loop. Multiple requests with invalid payload lengths could lead to a\n denial of service.\n\nFor Debian 9 stretch, these problems have been fixed in version\n8.5.54-0+deb9u3.\n\nWe recommend that you upgrade your tomcat8 packages.\n\nFor the detailed security status of tomcat8 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/tomcat8\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-07-22T16:39:36", "type": "debian", "title": "[SECURITY] [DLA 2286-1] tomcat8 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13934", "CVE-2020-13935"], "modified": "2020-07-22T16:39:36", "id": "DEBIAN:DLA-2286-1:F04B8", "href": "https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-10-22T11:20:53", "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2279-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Markus Koschany\nJuly 12, 2020 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : tomcat8\nVersion : 8.5.54-0+deb9u2\nCVE ID : CVE-2020-9484 CVE-2020-11996\nDebian Bug : 961209\n\nSeveral security vulnerabilities have been discovered in the Tomcat\nservlet and JSP engine.\n\n\nCVE-2020-9484\n\n When using Apache Tomcat and an attacker is able to control the\n contents and name of a file on the server; and b) the server is\n configured to use the PersistenceManager with a FileStore; and c)\n the PersistenceManager is configured with\n sessionAttributeValueClassNameFilter="null" (the default unless a\n SecurityManager is used) or a sufficiently lax filter to allow the\n attacker provided object to be deserialized; and d) the attacker\n knows the relative file path from the storage location used by\n FileStore to the file the attacker has control over; then, using a\n specifically crafted request, the attacker will be able to trigger\n remote code execution via deserialization of the file under their\n control. Note that all of conditions a) to d) must be true for the\n attack to succeed.\n\n\nCVE-2020-11996\n\n A specially crafted sequence of HTTP/2 requests sent to Apache\n Tomcat could trigger high CPU usage for several seconds. If a\n sufficient number of such requests were made on concurrent HTTP/2\n connections, the server could become unresponsive.\n\nFor Debian 9 stretch, these problems have been fixed in version\n8.5.54-0+deb9u2.\n\nWe recommend that you upgrade your tomcat8 packages.\n\nFor the detailed security status of tomcat8 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/tomcat8\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-07-12T21:11:35", "type": "debian", "title": "[SECURITY] [DLA 2279-1] tomcat8 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11996", "CVE-2020-9484"], "modified": "2020-07-12T21:11:35", "id": "DEBIAN:DLA-2279-1:AB3FB", "href": "https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-12-17T10:12:53", "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2279-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Markus Koschany\nJuly 12, 2020 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : tomcat8\nVersion : 8.5.54-0+deb9u2\nCVE ID : CVE-2020-9484 CVE-2020-11996\nDebian Bug : 961209\n\nSeveral security vulnerabilities have been discovered in the Tomcat\nservlet and JSP engine.\n\n\nCVE-2020-9484\n\n When using Apache Tomcat and an attacker is able to control the\n contents and name of a file on the server; and b) the server is\n configured to use the PersistenceManager with a FileStore; and c)\n the PersistenceManager is configured with\n sessionAttributeValueClassNameFilter="null" (the default unless a\n SecurityManager is used) or a sufficiently lax filter to allow the\n attacker provided object to be deserialized; and d) the attacker\n knows the relative file path from the storage location used by\n FileStore to the file the attacker has control over; then, using a\n specifically crafted request, the attacker will be able to trigger\n remote code execution via deserialization of the file under their\n control. Note that all of conditions a) to d) must be true for the\n attack to succeed.\n\n\nCVE-2020-11996\n\n A specially crafted sequence of HTTP/2 requests sent to Apache\n Tomcat could trigger high CPU usage for several seconds. If a\n sufficient number of such requests were made on concurrent HTTP/2\n connections, the server could become unresponsive.\n\nFor Debian 9 stretch, these problems have been fixed in version\n8.5.54-0+deb9u2.\n\nWe recommend that you upgrade your tomcat8 packages.\n\nFor the detailed security status of tomcat8 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/tomcat8\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-07-12T21:11:35", "type": "debian", "title": "[SECURITY] [DLA 2279-1] tomcat8 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11996", "CVE-2020-9484"], "modified": "2020-07-12T21:11:35", "id": "DEBIAN:DLA-2279-1:771F3", "href": "https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-01-24T16:17:45", "description": "-------------------------------------------------------------------------\nDebian LTS Advisory DLA-2365-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Roberto C. S\u00e1nchez\nSeptember 04, 2020 https://wiki.debian.org/LTS\n-------------------------------------------------------------------------\n\nPackage : netty-3.9\nVersion : 3.9.9.Final-1+deb9u1\nCVE ID : CVE-2019-16869 CVE-2019-20444 CVE-2019-20445\nDebian Bug : 941266 950966 950967\n\nSeveral vulnerabilities have been discovered in netty-3.9, a Java NIO\nclient/server socket framework.\n\nCVE-2019-16869\n\n Netty before 4.1.42.Final mishandles whitespace before the colon in\n HTTP headers (such as a "Transfer-Encoding : chunked" line), which\n leads to HTTP request smuggling.\n\nCVE-2019-20444\n\n HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header\n that lacks a colon, which might be interpreted as a separate header\n with an incorrect syntax, or might be interpreted as an "invalid\n fold."\n\nCVE-2019-20445\n\n HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length\n header to be accompanied by a second Content-Length header, or by a\n Transfer-Encoding header.\n\nFor Debian 9 stretch, these problems have been fixed in version\n3.9.9.Final-1+deb9u1.\n\nWe recommend that you upgrade your netty-3.9 packages.\n\nFor the detailed security status of netty-3.9 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/netty-3.9\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\nAttachment:\nsignature.asc\nDescription: PGP signature\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.2}, "published": "2020-09-04T18:41:04", "type": "debian", "title": "[SECURITY] [DLA 2365-1] netty-3.9 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16869", "CVE-2019-20444", "CVE-2019-20445"], "modified": "2020-09-04T18:41:04", "id": "DEBIAN:DLA-2365-1:41B26", "href": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-01-25T11:29:14", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4673-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nMay 03, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : tomcat8\nCVE ID : CVE-2019-17569 CVE-2020-1935 CVE-2020-1938\n\nSeveral vulnerabilities were discovered in the Tomcat servlet and JSP\nengine, which could result in HTTP request smuggling and code execution\nin the AJP connector (disabled by default in Debian).\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 8.5.54-0+deb9u1.\n\nWe recommend that you upgrade your tomcat8 packages.\n\nFor the detailed security status of tomcat8 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/tomcat8\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-03T18:29:38", "type": "debian", "title": "[SECURITY] [DSA 4673-1] tomcat8 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17569", "CVE-2020-1935", "CVE-2020-1938"], "modified": "2020-05-03T18:29:38", "id": "DEBIAN:DSA-4673-1:A3780", "href": "https://lists.debian.org/debian-security-announce/2020/msg00076.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T12:26:58", "description": "Package : tomcat7\nVersion : 7.0.56-3+really7.0.100-1\nCVE ID : CVE-2019-17569 CVE-2020-1935 CVE-2020-1938\n\nSeveral security vulnerabilities have been discovered in the Tomcat\nservlet and JSP engine.\n\nCVE-2019-17569\n\n The refactoring in 7.0.98 introduced a regression. The result of\n the regression was that invalid Transfer-Encoding headers were\n incorrectly processed leading to a possibility of HTTP Request\n Smuggling if Tomcat was located behind a reverse proxy that\n incorrectly handled the invalid Transfer-Encoding header in a\n particular manner. Such a reverse proxy is considered unlikely.\n\nCVE-2020-1935\n\n The HTTP header parsing code used an approach to end-of-line (EOL)\n parsing that allowed some invalid HTTP headers to be parsed as\n valid. This led to a possibility of HTTP Request Smuggling if Tomcat\n was located behind a reverse proxy that incorrectly handled the\n invalid Transfer-Encoding header in a particular manner. Such a\n reverse proxy is considered unlikely.\n\nCVE-2020-1938\n\n When using the Apache JServ Protocol (AJP), care must be taken when\n trusting incoming connections to Apache Tomcat. Tomcat treats AJP\n connections as having higher trust than, for example, a similar HTTP\n connection. If such connections are available to an attacker, they\n can be exploited in ways that may be surprising. Prior to Tomcat\n 7.0.100, Tomcat shipped with an AJP Connector enabled by default\n that listened on all configured IP addresses. It was expected (and\n recommended in the security guide) that this Connector would be\n disabled if not required.\n\n Note that Debian already disabled the AJP connector by default.\n Mitigation is only required if the AJP port was made accessible to\n untrusted users.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n7.0.56-3+really7.0.100-1.\n\nWe recommend that you upgrade your tomcat7 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-04T18:14:50", "type": "debian", "title": "[SECURITY] [DLA 2133-1] tomcat7 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17569", "CVE-2020-1935", "CVE-2020-1938"], "modified": "2020-03-04T18:14:50", "id": "DEBIAN:DLA-2133-1:4E05E", "href": "https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-01T15:27:04", "description": "Package : tomcat7\nVersion : 7.0.56-3+really7.0.100-1\nCVE ID : CVE-2019-17569 CVE-2020-1935 CVE-2020-1938\n\nSeveral security vulnerabilities have been discovered in the Tomcat\nservlet and JSP engine.\n\nCVE-2019-17569\n\n The refactoring in 7.0.98 introduced a regression. The result of\n the regression was that invalid Transfer-Encoding headers were\n incorrectly processed leading to a possibility of HTTP Request\n Smuggling if Tomcat was located behind a reverse proxy that\n incorrectly handled the invalid Transfer-Encoding header in a\n particular manner. Such a reverse proxy is considered unlikely.\n\nCVE-2020-1935\n\n The HTTP header parsing code used an approach to end-of-line (EOL)\n parsing that allowed some invalid HTTP headers to be parsed as\n valid. This led to a possibility of HTTP Request Smuggling if Tomcat\n was located behind a reverse proxy that incorrectly handled the\n invalid Transfer-Encoding header in a particular manner. Such a\n reverse proxy is considered unlikely.\n\nCVE-2020-1938\n\n When using the Apache JServ Protocol (AJP), care must be taken when\n trusting incoming connections to Apache Tomcat. Tomcat treats AJP\n connections as having higher trust than, for example, a similar HTTP\n connection. If such connections are available to an attacker, they\n can be exploited in ways that may be surprising. Prior to Tomcat\n 7.0.100, Tomcat shipped with an AJP Connector enabled by default\n that listened on all configured IP addresses. It was expected (and\n recommended in the security guide) that this Connector would be\n disabled if not required.\n\n Note that Debian already disabled the AJP connector by default.\n Mitigation is only required if the AJP port was made accessible to\n untrusted users.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n7.0.56-3+really7.0.100-1.\n\nWe recommend that you upgrade your tomcat7 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-04T18:14:50", "type": "debian", "title": "[SECURITY] [DLA 2133-1] tomcat7 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17569", "CVE-2020-1935", "CVE-2020-1938"], "modified": "2020-03-04T18:14:50", "id": "DEBIAN:DLA-2133-1:EFD3F", "href": "https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2022-06-16T15:39:09", "description": "Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in code execution or denial of service.", "cvss3": {"score": 7, "vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-20T00:00:00", "type": "nessus", "title": "Debian DSA-4727-1 : tomcat9 - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11996", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-9484"], "modified": "2021-01-25T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:tomcat9", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DSA-4727.NASL", "href": "https://www.tenable.com/plugins/nessus/138647", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4727. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138647);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/25\");\n\n script_cve_id(\"CVE-2020-11996\", \"CVE-2020-13934\", \"CVE-2020-13935\", \"CVE-2020-9484\");\n script_xref(name:\"DSA\", value:\"4727\");\n script_xref(name:\"IAVA\", value:\"2020-A-0316-S\");\n\n script_name(english:\"Debian DSA-4727-1 : tomcat9 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several vulnerabilities were discovered in the Tomcat servlet and JSP\nengine, which could result in code execution or denial of service.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/tomcat9\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/tomcat9\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2020/dsa-4727\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the tomcat9 packages.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 9.0.31-1~deb10u2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-9484\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"libtomcat9-embed-java\", reference:\"9.0.31-1~deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libtomcat9-java\", reference:\"9.0.31-1~deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"tomcat9\", reference:\"9.0.31-1~deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"tomcat9-admin\", reference:\"9.0.31-1~deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"tomcat9-common\", reference:\"9.0.31-1~deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"tomcat9-docs\", reference:\"9.0.31-1~deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"tomcat9-examples\", reference:\"9.0.31-1~deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"tomcat9-user\", reference:\"9.0.31-1~deb10u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T15:39:38", "description": "According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.(CVE-2020-13935)\n\n - An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.(CVE-2020-13934)\n\n - A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.(CVE-2020-11996)\n\n - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server and b) the server is configured to use the PersistenceManager with a FileStore and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter='null' (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.\n Note that all of conditions a) to d) must be true for the attack to succeed.(CVE-2020-9484)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7, "vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-30T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP8 : tomcat (EulerOS-SA-2020-1829)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11996", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-9484"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:tomcat", "p-cpe:/a:huawei:euleros:tomcat-admin-webapps", "p-cpe:/a:huawei:euleros:tomcat-el-3.0-api", "p-cpe:/a:huawei:euleros:tomcat-jsp-2.3-api", "p-cpe:/a:huawei:euleros:tomcat-lib", "p-cpe:/a:huawei:euleros:tomcat-servlet-4.0-api", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2020-1829.NASL", "href": "https://www.tenable.com/plugins/nessus/139159", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139159);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2020-11996\",\n \"CVE-2020-13934\",\n \"CVE-2020-13935\",\n \"CVE-2020-9484\"\n );\n\n script_name(english:\"EulerOS 2.0 SP8 : tomcat (EulerOS-SA-2020-1829)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the tomcat packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - The payload length in a WebSocket frame was not\n correctly validated in Apache Tomcat 10.0.0-M1 to\n 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and\n 7.0.27 to 7.0.104. Invalid payload lengths could\n trigger an infinite loop. Multiple requests with\n invalid payload lengths could lead to a denial of\n service.(CVE-2020-13935)\n\n - An h2c direct connection to Apache Tomcat 10.0.0-M1 to\n 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did\n not release the HTTP/1.1 processor after the upgrade to\n HTTP/2. If a sufficient number of such requests were\n made, an OutOfMemoryException could occur leading to a\n denial of service.(CVE-2020-13934)\n\n - A specially crafted sequence of HTTP/2 requests sent to\n Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to\n 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage\n for several seconds. If a sufficient number of such\n requests were made on concurrent HTTP/2 connections,\n the server could become unresponsive.(CVE-2020-11996)\n\n - When using Apache Tomcat versions 10.0.0-M1 to\n 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and\n 7.0.0 to 7.0.103 if a) an attacker is able to control\n the contents and name of a file on the server and b)\n the server is configured to use the PersistenceManager\n with a FileStore and c) the PersistenceManager is\n configured with\n sessionAttributeValueClassNameFilter='null' (the\n default unless a SecurityManager is used) or a\n sufficiently lax filter to allow the attacker provided\n object to be deserialized and d) the attacker knows the\n relative file path from the storage location used by\n FileStore to the file the attacker has control over\n then, using a specifically crafted request, the\n attacker will be able to trigger remote code execution\n via deserialization of the file under their control.\n Note that all of conditions a) to d) must be true for\n the attack to succeed.(CVE-2020-9484)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1829\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?542740fa\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected tomcat packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-9484\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-el-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-jsp-2.3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-servlet-4.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(8)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"tomcat-9.0.10-1.h9.eulerosv2r8\",\n \"tomcat-admin-webapps-9.0.10-1.h9.eulerosv2r8\",\n \"tomcat-el-3.0-api-9.0.10-1.h9.eulerosv2r8\",\n \"tomcat-jsp-2.3-api-9.0.10-1.h9.eulerosv2r8\",\n \"tomcat-lib-9.0.10-1.h9.eulerosv2r8\",\n \"tomcat-servlet-4.0-api-9.0.10-1.h9.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"8\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-16T15:30:59", "description": "The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4596-1 advisory.\n\n - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. (CVE-2020-9484)\n\n - A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.\n (CVE-2020-11996)\n\n - An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service. (CVE-2020-13934)\n\n - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. (CVE-2020-13935)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7, "vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-10-24T00:00:00", "type": "nessus", "title": "Ubuntu 20.04 LTS : Tomcat vulnerabilities (USN-4596-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11996", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-9484"], "modified": "2020-11-24T00:00:00", "cpe": ["cpe:2.3:o:canonical:ubuntu_linux:20.04:-:lts:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:libtomcat9-java:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:tomcat9:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:libtomcat9-embed-java:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:tomcat9-admin:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:tomcat9-common:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:tomcat9-examples:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:tomcat9-user:*:*:*:*:*:*:*"], "id": "UBUNTU_USN-4596-1.NASL", "href": "https://www.tenable.com/plugins/nessus/141862", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4596-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141862);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/24\");\n\n script_cve_id(\n \"CVE-2020-9484\",\n \"CVE-2020-11996\",\n \"CVE-2020-13934\",\n \"CVE-2020-13935\"\n );\n script_xref(name:\"USN\", value:\"4596-1\");\n\n script_name(english:\"Ubuntu 20.04 LTS : Tomcat vulnerabilities (USN-4596-1)\");\n script_summary(english:\"Checks the dpkg output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe USN-4596-1 advisory.\n\n - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to\n 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the\n server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is\n configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used)\n or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker\n knows the relative file path from the storage location used by FileStore to the file the attacker has\n control over; then, using a specifically crafted request, the attacker will be able to trigger remote code\n execution via deserialization of the file under their control. Note that all of conditions a) to d) must\n be true for the attack to succeed. (CVE-2020-9484)\n\n - A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to\n 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of\n such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.\n (CVE-2020-11996)\n\n - An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56\n did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such\n requests were made, an OutOfMemoryException could occur leading to a denial of service. (CVE-2020-13934)\n\n - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to\n 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could\n trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of\n service. (CVE-2020-13935)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4596-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-9484\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libtomcat9-embed-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libtomcat9-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat9-admin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat9-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat9-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat9-user\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(20\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\npkgs = [\n {'osver': '20.04', 'pkgname': 'libtomcat9-embed-java', 'pkgver': '9.0.31-1ubuntu0.1'},\n {'osver': '20.04', 'pkgname': 'libtomcat9-java', 'pkgver': '9.0.31-1ubuntu0.1'},\n {'osver': '20.04', 'pkgname': 'tomcat9', 'pkgver': '9.0.31-1ubuntu0.1'},\n {'osver': '20.04', 'pkgname': 'tomcat9-admin', 'pkgver': '9.0.31-1ubuntu0.1'},\n {'osver': '20.04', 'pkgname': 'tomcat9-common', 'pkgver': '9.0.31-1ubuntu0.1'},\n {'osver': '20.04', 'pkgname': 'tomcat9-examples', 'pkgver': '9.0.31-1ubuntu0.1'},\n {'osver': '20.04', 'pkgname': 'tomcat9-user', 'pkgver': '9.0.31-1ubuntu0.1'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libtomcat9-embed-java / libtomcat9-java / tomcat9 / tomcat9-admin / etc');\n}", "cvss": {"score": 4.4, "vector": "CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-13T16:49:36", "description": "The Apache Software Foundation reports :\n\nAn h2c direct connection did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.\n\nThe payload length in a WebSocket frame was not correctly validated.\nInvalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.\n\nA specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-07-27T00:00:00", "type": "nessus", "title": "FreeBSD : Apache Tomcat -- Multiple Vulnerabilities (6a72eff7-ccd6-11ea-9172-4c72b94353b5)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11996", "CVE-2020-13934", "CVE-2020-13935"], "modified": "2020-10-16T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:tomcat-devel", "p-cpe:/a:freebsd:freebsd:tomcat7", "p-cpe:/a:freebsd:freebsd:tomcat85", "p-cpe:/a:freebsd:freebsd:tomcat9", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_6A72EFF7CCD611EA91724C72B94353B5.NASL", "href": "https://www.tenable.com/plugins/nessus/138923", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138923);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/16\");\n\n script_cve_id(\"CVE-2020-11996\", \"CVE-2020-13934\", \"CVE-2020-13935\");\n script_xref(name:\"IAVA\", value:\"2020-A-0316-S\");\n\n script_name(english:\"FreeBSD : Apache Tomcat -- Multiple Vulnerabilities (6a72eff7-ccd6-11ea-9172-4c72b94353b5)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The Apache Software Foundation reports :\n\nAn h2c direct connection did not release the HTTP/1.1 processor after\nthe upgrade to HTTP/2. If a sufficient number of such requests were\nmade, an OutOfMemoryException could occur leading to a denial of\nservice.\n\nThe payload length in a WebSocket frame was not correctly validated.\nInvalid payload lengths could trigger an infinite loop. Multiple\nrequests with invalid payload lengths could lead to a denial of\nservice.\n\nA specially crafted sequence of HTTP/2 requests could trigger high CPU\nusage for several seconds. If a sufficient number of such requests\nwere made on concurrent HTTP/2 connections, the server could become\nunresponsive.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://tomcat.apache.org/security-7.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tomcat.apache.org/security-8.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tomcat.apache.org/security-9.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tomcat.apache.org/security-10.html\");\n # https://vuxml.freebsd.org/freebsd/6a72eff7-ccd6-11ea-9172-4c72b94353b5.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77a4ef62\");\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:tomcat-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:tomcat7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:tomcat85\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:tomcat9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/27\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"tomcat7<7.0.105\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"tomcat85<8.5.57\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"tomcat9<9.0.37\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"tomcat-devel<10.0.0.M7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-13T18:30:12", "description": "According to its self-reported version number, the version of JFrog Artifactory installed on the remote host is prior to 7.7.0. It is, therefore, affected by multiple vulnerabilities:\n\n - An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service. (CVE-2020-13934)\n\n - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop.\n Multiple requests with invalid payload lengths could lead to a denial of service. (CVE-2020-13935)\n\n - A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive. (CVE-2020-11996)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2021-03-12T00:00:00", "type": "nessus", "title": "JFrog < 7.7.0 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11996", "CVE-2020-13934", "CVE-2020-13935"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:jfrog:artifactory"], "id": "JFROG_ARTIFACTORY_7_7_0.NASL", "href": "https://www.tenable.com/plugins/nessus/147719", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147719);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2020-11996\", \"CVE-2020-13934\", \"CVE-2020-13935\");\n\n script_name(english:\"JFrog < 7.7.0 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Determines if the remote JFrog Artifactory installation is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the version of JFrog Artifactory installed on the remote host is prior\nto 7.7.0. It is, therefore, affected by multiple vulnerabilities:\n\n - An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not \n release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, \n an OutOfMemoryException could occur leading to a denial of service. (CVE-2020-13934)\n\n - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, \n 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop.\n Multiple requests with invalid payload lengths could lead to a denial of service. (CVE-2020-13935)\n\n - A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 \n and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were \n made on concurrent HTTP/2 connections, the server could become unresponsive. (CVE-2020-11996)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://www.jfrog.com/confluence/display/JFROG/Fixed+Security+Vulnerabilities\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8dc55d3d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to JFrog Artifactory 7.7.0 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-13935\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:jfrog:artifactory\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"jfrog_artifactory_win_installed.nbin\", \"jfrog_artifactory_nix_installed.nbin\", \"os_fingerprint.nasl\");\n script_require_keys(\"installed_sw/Artifactory\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nwin_local = FALSE;\nos = get_kb_item('Host/OS');\nif ('windows' >< tolower(os)) win_local = TRUE;\n\napp_info = vcf::get_app_info(app:'Artifactory', win_local:win_local);\n\nconstraints = [\n { 'min_version' : '7.0', 'fixed_version' : '7.7.0' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-06-16T15:41:21", "description": "It was discovered that Tomcat incorrectly validated the payload length in a WebSocket frame. A remote attacker could possibly use this issue to cause Tomcat to hang, resulting in a denial of service.\n(CVE-2020-13935) It was discovered that Tomcat incorrectly handled HTTP header parsing. In certain environments where Tomcat is located behind a reverse proxy, a remote attacker could possibly use this issue to perform HTTP Reqest Smuggling. (CVE-2020-1935) It was discovered that Tomcat incorrectly handled certain uncommon PersistenceManager with FileStore configurations. A remote attacker could possibly use this issue to execute arbitrary code.\n(CVE-2020-9484).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7, "vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-08-06T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS : Tomcat vulnerabilities (USN-4448-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13935", "CVE-2020-1935", "CVE-2020-9484"], "modified": "2022-05-13T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libtomcat8-java", "p-cpe:/a:canonical:ubuntu_linux:tomcat8", "cpe:/o:canonical:ubuntu_linux:16.04"], "id": "UBUNTU_USN-4448-1.NASL", "href": "https://www.tenable.com/plugins/nessus/139368", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4448-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139368);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/13\");\n\n script_cve_id(\"CVE-2020-13935\", \"CVE-2020-1935\", \"CVE-2020-9484\");\n script_xref(name:\"USN\", value:\"4448-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS : Tomcat vulnerabilities (USN-4448-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was discovered that Tomcat incorrectly validated the payload length\nin a WebSocket frame. A remote attacker could possibly use this issue\nto cause Tomcat to hang, resulting in a denial of service.\n(CVE-2020-13935) It was discovered that Tomcat incorrectly handled\nHTTP header parsing. In certain environments where Tomcat is located\nbehind a reverse proxy, a remote attacker could possibly use this\nissue to perform HTTP Reqest Smuggling. (CVE-2020-1935) It was\ndiscovered that Tomcat incorrectly handled certain uncommon\nPersistenceManager with FileStore configurations. A remote attacker\ncould possibly use this issue to execute arbitrary code.\n(CVE-2020-9484).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4448-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected libtomcat8-java and / or tomcat8 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1935\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libtomcat8-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2020-2022 Canonical, Inc. / NASL script (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libtomcat8-java\", pkgver:\"8.0.32-1ubuntu1.13\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"tomcat8\", pkgver:\"8.0.32-1ubuntu1.13\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libtomcat8-java / tomcat8\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-08-10T16:05:46", "description": "The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-8b17a2725e advisory.\n\n - A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions. (CVE-2021-27807)\n\n - A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions. (CVE-2021-27906)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.5, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2021-03-30T00:00:00", "type": "nessus", "title": "Fedora 33 : pdfbox (2021-8b17a2725e)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-27807", "CVE-2021-27906"], "modified": "2022-01-21T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:33", "p-cpe:/a:fedoraproject:fedora:pdfbox"], "id": "FEDORA_2021-8B17A2725E.NASL", "href": "https://www.tenable.com/plugins/nessus/148238", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were\n# extracted from Fedora Security Advisory FEDORA-2021-8b17a2725e\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148238);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\"CVE-2021-27807\", \"CVE-2021-27906\");\n script_xref(name:\"FEDORA\", value:\"2021-8b17a2725e\");\n\n script_name(english:\"Fedora 33 : pdfbox (2021-8b17a2725e)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the\nFEDORA-2021-8b17a2725e advisory.\n\n - A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects\n Apache PDFBox version 2.0.22 and prior 2.0.x versions. (CVE-2021-27807)\n\n - A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue\n affects Apache PDFBox version 2.0.22 and prior 2.0.x versions. (CVE-2021-27906)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2021-8b17a2725e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected pdfbox package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-27906\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:33\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:pdfbox\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Fedora' >!< release) audit(AUDIT_OS_NOT, 'Fedora');\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^33([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Fedora 33', 'Fedora ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);\n\npkgs = [\n {'reference':'pdfbox-2.0.23-1.fc33', 'release':'FC33', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'pdfbox');\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-10T16:09:55", "description": "The remote Fedora 32 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-dc83ae690a advisory.\n\n - A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions. (CVE-2021-27807)\n\n - A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions. (CVE-2021-27906)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.5, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2021-03-30T00:00:00", "type": "nessus", "title": "Fedora 32 : pdfbox (2021-dc83ae690a)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-27807", "CVE-2021-27906"], "modified": "2022-01-21T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:32", "p-cpe:/a:fedoraproject:fedora:pdfbox"], "id": "FEDORA_2021-DC83AE690A.NASL", "href": "https://www.tenable.com/plugins/nessus/148231", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were\n# extracted from Fedora Security Advisory FEDORA-2021-dc83ae690a\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148231);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/21\");\n\n script_cve_id(\"CVE-2021-27807\", \"CVE-2021-27906\");\n script_xref(name:\"FEDORA\", value:\"2021-dc83ae690a\");\n\n script_name(english:\"Fedora 32 : pdfbox (2021-dc83ae690a)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Fedora 32 host has a package installed that is affected by multiple vulnerabilities as referenced in the\nFEDORA-2021-dc83ae690a advisory.\n\n - A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects\n Apache PDFBox version 2.0.22 and prior 2.0.x versions. (CVE-2021-27807)\n\n - A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue\n affects Apache PDFBox version 2.0.22 and prior 2.0.x versions. (CVE-2021-27906)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2021-dc83ae690a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected pdfbox package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-27906\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:32\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:pdfbox\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Fedora' >!< release) audit(AUDIT_OS_NOT, 'Fedora');\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^32([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Fedora 32', 'Fedora ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);\n\npkgs = [\n {'reference':'pdfbox-2.0.23-1.fc32', 'release':'FC32', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'pdfbox');\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-06-16T15:33:53", "description": "Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.\n\nWARNING: The fix for CVE-2020-1938 may disrupt services that rely on a working AJP configuration. The option secretRequired defaults to true now. You should define a secret in your server.xml or you can revert back by setting secretRequired to false.\n\nCVE-2019-17563\n\nWhen using FORM authentication with Apache Tomcat there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.\n\nCVE-2020-1935\n\nIn Apache Tomcat the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.\n\nCVE-2020-1938\n\nWhen using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. Previously Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required.\n. Note that Debian already disabled the AJP connector by default.\nMitigation is only required if the AJP port was made accessible to untrusted users.\n\nCVE-2020-9484\n\nWhen using Apache Tomcat and an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter='null' (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.\n\nFor Debian 8 'Jessie', these problems have been fixed in version 8.0.14-1+deb8u17.\n\nWe recommend that you upgrade your tomcat8 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-05-29T00:00:00", "type": "nessus", "title": "Debian DLA-2209-1 : tomcat8 security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17563", "CVE-2020-1935", "CVE-2020-1938", "CVE-2020-9484"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libservlet3.1-java", "p-cpe:/a:debian:debian_linux:libservlet3.1-java-doc", "p-cpe:/a:debian:debian_linux:libtomcat8-java", "p-cpe:/a:debian:debian_linux:tomcat8", "p-cpe:/a:debian:debian_linux:tomcat8-admin", "p-cpe:/a:debian:debian_linux:tomcat8-common", "p-cpe:/a:debian:debian_linux:tomcat8-docs", "p-cpe:/a:debian:debian_linux:tomcat8-examples", "p-cpe:/a:debian:debian_linux:tomcat8-user", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-2209.NASL", "href": "https://www.tenable.com/plugins/nessus/136951", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2209-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136951);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2019-17563\",\n \"CVE-2020-1935\",\n \"CVE-2020-1938\",\n \"CVE-2020-9484\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0225-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n\n script_name(english:\"Debian DLA-2209-1 : tomcat8 security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Several security vulnerabilities have been discovered in the Tomcat\nservlet and JSP engine.\n\nWARNING: The fix for CVE-2020-1938 may disrupt services that rely on a\nworking AJP configuration. The option secretRequired defaults to true\nnow. You should define a secret in your server.xml or you can revert\nback by setting secretRequired to false.\n\nCVE-2019-17563\n\nWhen using FORM authentication with Apache Tomcat there was a narrow\nwindow where an attacker could perform a session fixation attack. The\nwindow was considered too narrow for an exploit to be practical but,\nerring on the side of caution, this issue has been treated as a\nsecurity vulnerability.\n\nCVE-2020-1935\n\nIn Apache Tomcat the HTTP header parsing code used an approach to\nend-of-line parsing that allowed some invalid HTTP headers to be\nparsed as valid. This led to a possibility of HTTP Request Smuggling\nif Tomcat was located behind a reverse proxy that incorrectly handled\nthe invalid Transfer-Encoding header in a particular manner. Such a\nreverse proxy is considered unlikely.\n\nCVE-2020-1938\n\nWhen using the Apache JServ Protocol (AJP), care must be taken when\ntrusting incoming connections to Apache Tomcat. Tomcat treats AJP\nconnections as having higher trust than, for example, a similar HTTP\nconnection. If such connections are available to an attacker, they can\nbe exploited in ways that may be surprising. Previously Tomcat shipped\nwith an AJP Connector enabled by default that listened on all\nconfigured IP addresses. It was expected (and recommended in the\nsecurity guide) that this Connector would be disabled if not required.\n. Note that Debian already disabled the AJP connector by default.\nMitigation is only required if the AJP port was made accessible to\nuntrusted users.\n\nCVE-2020-9484\n\nWhen using Apache Tomcat and an attacker is able to control the\ncontents and name of a file on the server; and b) the server is\nconfigured to use the PersistenceManager with a FileStore; and c) the\nPersistenceManager is configured with\nsessionAttributeValueClassNameFilter='null' (the default unless a\nSecurityManager is used) or a sufficiently lax filter to allow the\nattacker provided object to be deserialized; and d) the attacker knows\nthe relative file path from the storage location used by FileStore to\nthe file the attacker has control over; then, using a specifically\ncrafted request, the attacker will be able to trigger remote code\nexecution via deserialization of the file under their control. Note\nthat all of conditions a) to d) must be true for the attack to\nsucceed.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n8.0.14-1+deb8u17.\n\nWe recommend that you upgrade your tomcat8 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/jessie/tomcat8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet3.1-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet3.1-java-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtomcat8-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-admin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-user\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libservlet3.1-java\", reference:\"8.0.14-1+deb8u17\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libservlet3.1-java-doc\", reference:\"8.0.14-1+deb8u17\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libtomcat8-java\", reference:\"8.0.14-1+deb8u17\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8\", reference:\"8.0.14-1+deb8u17\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-admin\", reference:\"8.0.14-1+deb8u17\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-common\", reference:\"8.0.14-1+deb8u17\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-docs\", reference:\"8.0.14-1+deb8u17\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-examples\", reference:\"8.0.14-1+deb8u17\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-user\", reference:\"8.0.14-1+deb8u17\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-14T16:24:48", "description": "The version of Apache Tomcat installed on the remote host is 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 or 7.0.0 to 7.0.104. It is, therefore, affected by two denial of service vulnerabilities via WebSocket frame and HTTP/2 requests.\n\nNote that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-08-14T00:00:00", "type": "nessus", "title": "Apache Tomcat 10.0.0-M1 < 10.0.0-M7 Denial of Service", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13934", "CVE-2020-13935"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112548", "href": "https://www.tenable.com/plugins/was/112548", "sourceData": "No source data", "cvss": {"score": 5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-07-14T16:24:51", "description": "The version of Apache Tomcat installed on the remote host is 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 or 7.0.0 to 7.0.104. It is, therefore, affected by two denial of service vulnerabilities via WebSocket frame and HTTP/2 requests.\n\nNote that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-08-14T00:00:00", "type": "nessus", "title": "Apache Tomcat 9.0.0.M1 < 9.0.37 Denial of Service", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13934", "CVE-2020-13935"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112549", "href": "https://www.tenable.com/plugins/was/112549", "sourceData": "No source data", "cvss": {"score": 5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-07-14T16:24:52", "description": "The version of Apache Tomcat installed on the remote host is 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 or 7.0.0 to 7.0.104. It is, therefore, affected by two denial of service vulnerabilities via WebSocket frame and HTTP/2 requests.\n\nNote that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-08-14T00:00:00", "type": "nessus", "title": "Apache Tomcat 7.0.x < 7.0.105 Denial of Service", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13934", "CVE-2020-13935"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112558", "href": "https://www.tenable.com/plugins/was/112558", "sourceData": "No source data", "cvss": {"score": 5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-07-14T16:24:49", "description": "The version of Apache Tomcat installed on the remote host is 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 or 7.0.0 to 7.0.104. It is, therefore, affected by two denial of service vulnerabilities via WebSocket frame and HTTP/2 requests.\n\nNote that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-08-14T00:00:00", "type": "nessus", "title": "Apache Tomcat 8.5.x < 8.5.57 Denial of Service", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13934", "CVE-2020-13935"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112557", "href": "https://www.tenable.com/plugins/was/112557", "sourceData": "No source data", "cvss": {"score": 5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-13T16:54:46", "description": "This update for tomcat fixes the following issues :\n\n - Fixed CVEs :\n\n - CVE-2020-13934 (bsc#1174121)\n\n - CVE-2020-13935 (bsc#1174117)\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update project.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-07-31T00:00:00", "type": "nessus", "title": "openSUSE Security Update : tomcat (openSUSE-2020-1111)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13934", "CVE-2020-13935"], "modified": "2020-08-04T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:tomcat", "p-cpe:/a:novell:opensuse:tomcat-admin-webapps", "p-cpe:/a:novell:opensuse:tomcat-docs-webapp", "p-cpe:/a:novell:opensuse:tomcat-el-3_0-api", "p-cpe:/a:novell:opensuse:tomcat-embed", "p-cpe:/a:novell:opensuse:tomcat-javadoc", "p-cpe:/a:novell:opensuse:tomcat-jsp-2_3-api", "p-cpe:/a:novell:opensuse:tomcat-jsvc", "p-cpe:/a:novell:opensuse:tomcat-lib", "p-cpe:/a:novell:opensuse:tomcat-servlet-4_0-api", "p-cpe:/a:novell:opensuse:tomcat-webapps", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2020-1111.NASL", "href": "https://www.tenable.com/plugins/nessus/139221", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-1111.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139221);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/04\");\n\n script_cve_id(\"CVE-2020-13934\", \"CVE-2020-13935\");\n\n script_name(english:\"openSUSE Security Update : tomcat (openSUSE-2020-1111)\");\n script_summary(english:\"Check for the openSUSE-2020-1111 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for tomcat fixes the following issues :\n\n - Fixed CVEs :\n\n - CVE-2020-13934 (bsc#1174121)\n\n - CVE-2020-13935 (bsc#1174117)\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1174117\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1174121\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected tomcat packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-el-3_0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-embed\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-jsp-2_3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-servlet-4_0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-9.0.36-lp152.2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-admin-webapps-9.0.36-lp152.2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-docs-webapp-9.0.36-lp152.2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-el-3_0-api-9.0.36-lp152.2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-embed-9.0.36-lp152.2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-javadoc-9.0.36-lp152.2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-jsp-2_3-api-9.0.36-lp152.2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-jsvc-9.0.36-lp152.2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-lib-9.0.36-lp152.2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-servlet-4_0-api-9.0.36-lp152.2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"tomcat-webapps-9.0.36-lp152.2.4.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat / tomcat-admin-webapps / tomcat-docs-webapp / etc\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-13T16:59:09", "description": "The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3306 advisory.\n\n - tomcat: OutOfMemoryException caused by HTTP/2 connection leak could lead to DoS (CVE-2020-13934)\n\n - tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-08-04T00:00:00", "type": "nessus", "title": "RHEL 6 : Red Hat JBoss Web Server 5.3.2 (RHSA-2020:3306)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13934", "CVE-2020-13935"], "modified": "2021-10-12T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:8", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-admin-webapps", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-docs-webapp", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-el-3.0-api", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-javadoc", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-jsp-2.3-api", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-lib", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-selinux", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-servlet-4.0-api", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-webapps"], "id": "REDHAT-RHSA-2020-3306.NASL", "href": "https://www.tenable.com/plugins/nessus/139320", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:3306. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139320);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/10/12\");\n\n script_cve_id(\"CVE-2020-13934\", \"CVE-2020-13935\");\n script_xref(name:\"RHSA\", value:\"2020:3306\");\n script_xref(name:\"IAVA\", value:\"2020-A-0316-S\");\n\n script_name(english:\"RHEL 6 : Red Hat JBoss Web Server 5.3.2 (RHSA-2020:3306)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:3306 advisory.\n\n - tomcat: OutOfMemoryException caused by HTTP/2 connection leak could lead to DoS (CVE-2020-13934)\n\n - tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS\n (CVE-2020-13935)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/400.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-13934\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-13935\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:3306\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1857024\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1857040\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-13935\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(400);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-el-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-jsp-2.3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-servlet-4.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-webapps\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nvar os_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar repositories = {\n 'jboss_enterprise_web_server_5_3_el6': [\n 'jws-5-for-rhel-6-server-debug-rpms',\n 'jws-5-for-rhel-6-server-rpms',\n 'jws-5-for-rhel-6-server-source-rpms'\n ],\n 'jboss_enterprise_web_server_5_3_el8': [\n 'jws-5-for-rhel-8-x86_64-debug-rpms',\n 'jws-5-for-rhel-8-x86_64-rpms',\n 'jws-5-for-rhel-8-x86_64-source-rpms'\n ]\n};\n\nvar repo_sets = rhel_get_valid_repo_sets(repositories:repositories);\nif(repo_sets == RHEL_REPOS_NO_OVERLAP_MESSAGE) audit(AUDIT_PACKAGE_LIST_MISSING, RHEL_REPO_AUDIT_PACKAGE_LIST_DETAILS);\n\nvar pkgs = [\n {'reference':'jws5-tomcat-9.0.30-5.redhat_6.1.el6jws', 'release':'6', 'el_string':'el6jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5', 'repo_list':['jboss_enterprise_web_server_5_3_el6', 'jboss_enterprise_web_server_5_3_el8']},\n {'reference':'jws5-tomcat-admin-webapps-9.0.30-5.redhat_6.1.el6jws', 'release':'6', 'el_string':'el6jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5', 'repo_list':['jboss_enterprise_web_server_5_3_el6', 'jboss_enterprise_web_server_5_3_el8']},\n {'reference':'jws5-tomcat-docs-webapp-9.0.30-5.redhat_6.1.el6jws', 'release':'6', 'el_string':'el6jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5', 'repo_list':['jboss_enterprise_web_server_5_3_el6', 'jboss_enterprise_web_server_5_3_el8']},\n {'reference':'jws5-tomcat-el-3.0-api-9.0.30-5.redhat_6.1.el6jws', 'release':'6', 'el_string':'el6jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5', 'repo_list':['jboss_enterprise_web_server_5_3_el6', 'jboss_enterprise_web_server_5_3_el8']},\n {'reference':'jws5-tomcat-javadoc-9.0.30-5.redhat_6.1.el6jws', 'release':'6', 'el_string':'el6jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5', 'repo_list':['jboss_enterprise_web_server_5_3_el6', 'jboss_enterprise_web_server_5_3_el8']},\n {'reference':'jws5-tomcat-jsp-2.3-api-9.0.30-5.redhat_6.1.el6jws', 'release':'6', 'el_string':'el6jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5', 'repo_list':['jboss_enterprise_web_server_5_3_el6', 'jboss_enterprise_web_server_5_3_el8']},\n {'reference':'jws5-tomcat-lib-9.0.30-5.redhat_6.1.el6jws', 'release':'6', 'el_string':'el6jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5', 'repo_list':['jboss_enterprise_web_server_5_3_el6', 'jboss_enterprise_web_server_5_3_el8']},\n {'reference':'jws5-tomcat-selinux-9.0.30-5.redhat_6.1.el6jws', 'release':'6', 'el_string':'el6jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5', 'repo_list':['jboss_enterprise_web_server_5_3_el6', 'jboss_enterprise_web_server_5_3_el8']},\n {'reference':'jws5-tomcat-servlet-4.0-api-9.0.30-5.redhat_6.1.el6jws', 'release':'6', 'el_string':'el6jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5', 'repo_list':['jboss_enterprise_web_server_5_3_el6', 'jboss_enterprise_web_server_5_3_el8']},\n {'reference':'jws5-tomcat-webapps-9.0.30-5.redhat_6.1.el6jws', 'release':'6', 'el_string':'el6jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-5', 'repo_list':['jboss_enterprise_web_server_5_3_el6', 'jboss_enterprise_web_server_5_3_el8']}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n var repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n release &&\n (rhel_decide_repo_check(repo_list:repo_list, repo_sets:repo_sets) || (!exists_check || rpm_exists(release:release, rpm:exists_check))) &&\n rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(repo_sets)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'jws5-tomcat / jws5-tomcat-admin-webapps / jws5-tomcat-docs-webapp / etc');\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-13T16:51:44", "description": "An update of the apache package has been released.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-07-29T00:00:00", "type": "nessus", "title": "Photon OS 2.0: Apache PHSA-2020-2.0-0265", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13934", "CVE-2020-13935"], "modified": "2020-07-29T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:apache", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2020-2_0-0265_APACHE.NASL", "href": "https://www.tenable.com/plugins/nessus/139052", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-2.0-0265. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139052);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/29\");\n\n script_cve_id(\"CVE-2020-13934\", \"CVE-2020-13935\");\n\n script_name(english:\"Photon OS 2.0: Apache PHSA-2020-2.0-0265\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the apache package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-265.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-13935\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"apache-tomcat-8.5.51-4.ph2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-13T16:51:45", "description": "This update for tomcat fixes the following issues :\n\n - Fixed CVEs :\n\n - CVE-2020-13934 (bsc#1174121)\n\n - CVE-2020-13935 (bsc#1174117)\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-07-28T00:00:00", "type": "nessus", "title": "openSUSE Security Update : tomcat (openSUSE-2020-1102)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13934", "CVE-2020-13935"], "modified": "2020-10-16T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:tomcat", "p-cpe:/a:novell:opensuse:tomcat-admin-webapps", "p-cpe:/a:novell:opensuse:tomcat-docs-webapp", "p-cpe:/a:novell:opensuse:tomcat-el-3_0-api", "p-cpe:/a:novell:opensuse:tomcat-embed", "p-cpe:/a:novell:opensuse:tomcat-javadoc", "p-cpe:/a:novell:opensuse:tomcat-jsp-2_3-api", "p-cpe:/a:novell:opensuse:tomcat-jsvc", "p-cpe:/a:novell:opensuse:tomcat-lib", "p-cpe:/a:novell:opensuse:tomcat-servlet-4_0-api", "p-cpe:/a:novell:opensuse:tomcat-webapps", "cpe:/o:novell:opensuse:15.1"], "id": "OPENSUSE-2020-1102.NASL", "href": "https://www.tenable.com/plugins/nessus/139021", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-1102.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139021);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/16\");\n\n script_cve_id(\"CVE-2020-13934\", \"CVE-2020-13935\");\n script_xref(name:\"IAVA\", value:\"2020-A-0316-S\");\n\n script_name(english:\"openSUSE Security Update : tomcat (openSUSE-2020-1102)\");\n script_summary(english:\"Check for the openSUSE-2020-1102 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for tomcat fixes the following issues :\n\n - Fixed CVEs :\n\n - CVE-2020-13934 (bsc#1174121)\n\n - CVE-2020-13935 (bsc#1174117)\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update\nproject.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1174117\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1174121\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected tomcat packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-el-3_0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-embed\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-jsp-2_3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-servlet-4_0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/28\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-9.0.36-lp151.3.27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-admin-webapps-9.0.36-lp151.3.27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-docs-webapp-9.0.36-lp151.3.27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-el-3_0-api-9.0.36-lp151.3.27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-embed-9.0.36-lp151.3.27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-javadoc-9.0.36-lp151.3.27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-jsp-2_3-api-9.0.36-lp151.3.27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-jsvc-9.0.36-lp151.3.27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-lib-9.0.36-lp151.3.27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-servlet-4_0-api-9.0.36-lp151.3.27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"tomcat-webapps-9.0.36-lp151.3.27.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat / tomcat-admin-webapps / tomcat-docs-webapp / etc\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-13T16:50:28", "description": "Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.\n\nCVE-2020-13934\n\nAn h2c direct connection to Apache Tomcat did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.\n\nCVE-2020-13935\n\nThe payload length in a WebSocket frame was not correctly validated in Apache Tomcat. Invalid payload lengths could trigger an infinite loop.\nMultiple requests with invalid payload lengths could lead to a denial of service.\n\nFor Debian 9 stretch, these problems have been fixed in version 8.5.54-0+deb9u3.\n\nWe recommend that you upgrade your tomcat8 packages.\n\nFor the detailed security status of tomcat8 please refer to its security tracker page at:\nhttps://security-tracker.debian.org/tracker/tomcat8\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-07-23T00:00:00", "type": "nessus", "title": "Debian DLA-2286-1 : tomcat8 security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13934", "CVE-2020-13935"], "modified": "2020-10-16T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libservlet3.1-java", "p-cpe:/a:debian:debian_linux:libservlet3.1-java-doc", "p-cpe:/a:debian:debian_linux:libtomcat8-embed-java", "p-cpe:/a:debian:debian_linux:libtomcat8-java", "p-cpe:/a:debian:debian_linux:tomcat8", "p-cpe:/a:debian:debian_linux:tomcat8-admin", "p-cpe:/a:debian:debian_linux:tomcat8-common", "p-cpe:/a:debian:debian_linux:tomcat8-docs", "p-cpe:/a:debian:debian_linux:tomcat8-examples", "p-cpe:/a:debian:debian_linux:tomcat8-user", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2286.NASL", "href": "https://www.tenable.com/plugins/nessus/138859", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2286-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138859);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/16\");\n\n script_cve_id(\"CVE-2020-13934\", \"CVE-2020-13935\");\n script_xref(name:\"IAVA\", value:\"2020-A-0316-S\");\n\n script_name(english:\"Debian DLA-2286-1 : tomcat8 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several security vulnerabilities have been discovered in the Tomcat\nservlet and JSP engine.\n\nCVE-2020-13934\n\nAn h2c direct connection to Apache Tomcat did not release the HTTP/1.1\nprocessor after the upgrade to HTTP/2. If a sufficient number of such\nrequests were made, an OutOfMemoryException could occur leading to a\ndenial of service.\n\nCVE-2020-13935\n\nThe payload length in a WebSocket frame was not correctly validated in\nApache Tomcat. Invalid payload lengths could trigger an infinite loop.\nMultiple requests with invalid payload lengths could lead to a denial\nof service.\n\nFor Debian 9 stretch, these problems have been fixed in version\n8.5.54-0+deb9u3.\n\nWe recommend that you upgrade your tomcat8 packages.\n\nFor the detailed security status of tomcat8 please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/tomcat8\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/stretch/tomcat8\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/source-package/tomcat8\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet3.1-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet3.1-java-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtomcat8-embed-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtomcat8-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-admin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-user\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/23\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"libservlet3.1-java\", reference:\"8.5.54-0+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libservlet3.1-java-doc\", reference:\"8.5.54-0+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libtomcat8-embed-java\", reference:\"8.5.54-0+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libtomcat8-java\", reference:\"8.5.54-0+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8\", reference:\"8.5.54-0+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-admin\", reference:\"8.5.54-0+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-common\", reference:\"8.5.54-0+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-docs\", reference:\"8.5.54-0+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-examples\", reference:\"8.5.54-0+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-user\", reference:\"8.5.54-0+deb9u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-13T16:49:30", "description": "An update of the apache package has been released.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-07-29T00:00:00", "type": "nessus", "title": "Photon OS 1.0: Apache PHSA-2020-1.0-0309", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13934", "CVE-2020-13935"], "modified": "2020-07-29T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:apache", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2020-1_0-0309_APACHE.NASL", "href": "https://www.tenable.com/plugins/nessus/139046", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-1.0-0309. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139046);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/29\");\n\n script_cve_id(\"CVE-2020-13934\", \"CVE-2020-13935\");\n\n script_name(english:\"Photon OS 1.0: Apache PHSA-2020-1.0-0309\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the apache package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-309.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-13935\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"apache-tomcat-8.5.51-4.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-13T16:49:36", "description": "The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. (CVE-2020-13935)\n\nAn h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service. (CVE-2020-13934)", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-07-30T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : tomcat8 (ALAS-2020-1409)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13934", "CVE-2020-13935"], "modified": "2020-08-03T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:tomcat8", "p-cpe:/a:amazon:linux:tomcat8-admin-webapps", "p-cpe:/a:amazon:linux:tomcat8-docs-webapp", "p-cpe:/a:amazon:linux:tomcat8-el-3.0-api", "p-cpe:/a:amazon:linux:tomcat8-javadoc", "p-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api", "p-cpe:/a:amazon:linux:tomcat8-lib", "p-cpe:/a:amazon:linux:tomcat8-log4j", "p-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api", "p-cpe:/a:amazon:linux:tomcat8-webapps", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2020-1409.NASL", "href": "https://www.tenable.com/plugins/nessus/139089", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2020-1409.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139089);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/03\");\n\n script_cve_id(\"CVE-2020-13934\", \"CVE-2020-13935\");\n script_xref(name:\"ALAS\", value:\"2020-1409\");\n\n script_name(english:\"Amazon Linux AMI : tomcat8 (ALAS-2020-1409)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The payload length in a WebSocket frame was not correctly validated in\nApache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to\n8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an\ninfinite loop. Multiple requests with invalid payload lengths could\nlead to a denial of service. (CVE-2020-13935)\n\nAn h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6,\n9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1\nprocessor after the upgrade to HTTP/2. If a sufficient number of such\nrequests were made, an OutOfMemoryException could occur leading to a\ndenial of service. (CVE-2020-13934)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2020-1409.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Run 'yum update tomcat8' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-el-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-8.5.57-1.85.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-admin-webapps-8.5.57-1.85.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-docs-webapp-8.5.57-1.85.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-el-3.0-api-8.5.57-1.85.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-javadoc-8.5.57-1.85.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-jsp-2.3-api-8.5.57-1.85.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-lib-8.5.57-1.85.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-log4j-8.5.57-1.85.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-servlet-3.1-api-8.5.57-1.85.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-webapps-8.5.57-1.85.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat8 / tomcat8-admin-webapps / tomcat8-docs-webapp / etc\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-13T16:53:04", "description": "The version of Tomcat installed on the remote host is prior to 9.0.37. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_9.0.37_security-9 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-07-17T00:00:00", "type": "nessus", "title": "Apache Tomcat 9.0.0.M1 < 9.0.37 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13934", "CVE-2020-13935"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "TOMCAT_9_0_37.NASL", "href": "https://www.tenable.com/plugins/nessus/138591", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138591);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2020-13934\", \"CVE-2020-13935\");\n script_xref(name:\"IAVA\", value:\"2020-A-0316-S\");\n\n script_name(english:\"Apache Tomcat 9.0.0.M1 < 9.0.37 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apache Tomcat server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Tomcat installed on the remote host is prior to 9.0.37. It is, therefore, affected by multiple\nvulnerabilities as referenced in the fixed_in_apache_tomcat_9.0.37_security-9 advisory. Note that Nessus has not tested\nfor this issue but has instead relied only on the application's self-reported version number.\");\n # https://github.com/apache/tomcat/commit/40fa74c74822711ab878079d0a69f7357926723d\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5733e550\");\n # https://github.com/apache/tomcat/commit/172977f04a5215128f1e278a688983dcd230f399\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d81c5cba\");\n # https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?37703c60\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Tomcat version 9.0.37 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-13935\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:tomcat\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tomcat_error_version.nasl\", \"tomcat_win_installed.nbin\", \"apache_tomcat_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Apache Tomcat\");\n\n exit(0);\n}\n\ninclude('tomcat_version.inc');\n\ntomcat_check_version(fixed: '9.0.37', min:'9.0.0.M1', severity:SECURITY_WARNING, granularity_regex: \"^9(\\.0)?$\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-13T16:50:34", "description": "An update of the apache package has been released.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-07-21T00:00:00", "type": "nessus", "title": "Photon OS 3.0: Apache PHSA-2020-3.0-0116", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13934", "CVE-2020-13935"], "modified": "2020-07-22T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:apache", "cpe:/o:vmware:photonos:3.0"], "id": "PHOTONOS_PHSA-2020-3_0-0116_APACHE.NASL", "href": "https://www.tenable.com/plugins/nessus/138816", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-3.0-0116. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138816);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/22\");\n\n script_cve_id(\"CVE-2020-13934\", \"CVE-2020-13935\");\n\n script_name(english:\"Photon OS 3.0: Apache PHSA-2020-3.0-0116\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the apache package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-3.0-116.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-13935\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:3.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 3\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 3.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"apache-tomcat-8.5.51-4.ph3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-13T18:36:57", "description": "The version of Tomcat installed on the remote host is prior to 10.0.0.M7. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_10.0.0-m7_security-10 advisory.\n\n - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. (CVE-2020-13935)\n\n - An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service. (CVE-2020-13934)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2021-06-21T00:00:00", "type": "nessus", "title": "Apache Tomcat 10.0.0.M1 < 10.0.0.M7 multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13934", "CVE-2020-13935"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "TOMCAT_10_0_0_M7.NASL", "href": "https://www.tenable.com/plugins/nessus/150936", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150936);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2020-13934\", \"CVE-2020-13935\");\n script_xref(name:\"IAVA\", value:\"2020-A-0316-S\");\n\n script_name(english:\"Apache Tomcat 10.0.0.M1 < 10.0.0.M7 multiple vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apache Tomcat server is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Tomcat installed on the remote host is prior to 10.0.0.M7. It is, therefore, affected by multiple\nvulnerabilities as referenced in the fixed_in_apache_tomcat_10.0.0-m7_security-10 advisory.\n\n - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to\n 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could\n trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of\n service. (CVE-2020-13935)\n\n - An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56\n did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such\n requests were made, an OutOfMemoryException could occur leading to a denial of service. (CVE-2020-13934)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://github.com/apache/tomcat/commit/1c1c77b0efb667cea80b532440b44cea1dc427c3\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?93d9487c\");\n # https://github.com/apache/tomcat/commit/c9167ae30f3b03b112f3d81772e3450b7d0e6a25\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5037be9d\");\n # https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?301b9be1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Tomcat version 10.0.0.M7 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-13935\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:tomcat\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tomcat_error_version.nasl\", \"tomcat_win_installed.nbin\", \"apache_tomcat_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Apache Tomcat\");\n\n exit(0);\n}\n\ninclude('tomcat_version.inc');\n\ntomcat_check_version(fixed: '10.0.0.M7', min:'10.0.0.M1', severity:SECURITY_WARNING, granularity_regex: \"^(10(\\.0(\\.0)?)?)$\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-13T16:49:31", "description": "The version of Tomcat installed on the remote host is 8.5.x prior to 8.5.57. It is, therefore, affected by multiple vulnerabilities as referenced in the Fixed in Apache Tomcat 8.5.57 security advisory.\n\n - The payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service (DoS).\n (CVE-2020-13935)\n\n - An h2c direct connection did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service (DoS). (CVE-2020-13934)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-07-17T00:00:00", "type": "nessus", "title": "Apache Tomcat 8.5.0 < 8.5.57 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13934", "CVE-2020-13935"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "TOMCAT_8_5_57.NASL", "href": "https://www.tenable.com/plugins/nessus/138574", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138574);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2020-13934\", \"CVE-2020-13935\");\n script_xref(name:\"IAVA\", value:\"2020-A-0316-S\");\n\n script_name(english:\"Apache Tomcat 8.5.0 < 8.5.57 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apache Tomcat server is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Tomcat installed on the remote host is 8.5.x prior to 8.5.57. It is, therefore, affected by multiple\nvulnerabilities as referenced in the Fixed in Apache Tomcat 8.5.57 security advisory.\n\n - The payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger\n an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service (DoS).\n (CVE-2020-13935)\n\n - An h2c direct connection did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a\n sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of\n service (DoS). (CVE-2020-13934)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://github.com/apache/tomcat/commit/12d715676038efbf9c728af10163f8277fc019d5\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cd59de72\");\n # https://github.com/apache/tomcat/commit/923d834500802a61779318911d7898bd85fc950e\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7358785a\");\n # https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?78f0e4ba\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Tomcat version 8.5.57 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-13935\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:tomcat\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tomcat_error_version.nasl\", \"apache_tomcat_nix_installed.nbin\", \"tomcat_win_installed.nbin\");\n script_require_keys(\"installed_sw/Apache Tomcat\");\n\n exit(0);\n}\n\ninclude('tomcat_version.inc');\n\ntomcat_check_version(fixed: '8.5.57', min:'8.5.0', severity:SECURITY_WARNING, granularity_regex: \"^8(\\.5)?$\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-07-18T20:47:56", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0248 advisory.\n\n - apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)\n\n - resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling (CVE-2020-25633)\n\n - wildfly: resource adapter logs plaintext JMS password at warning level on connection error (CVE-2020-25640)\n\n - wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain- controller (CVE-2020-25689)\n\n - undertow: special character in query results in server errors (CVE-2020-27782)\n\n - wildfly: Potential Memory leak in Wildfly when using OpenTracing (CVE-2020-27822)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "published": "2021-01-25T00:00:00", "type": "nessus", "title": "RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.3.5 (RHSA-2021:0248)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13956", "CVE-2020-25633", "CVE-2020-25640", "CVE-2020-25689", "CVE-2020-27782", "CVE-2020-27822"], "modified": "2022-05-11T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-tools", "p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf", "p-cpe:/a:redhat:enterprise_linux:eap7-hal-console", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8", "p-cpe:/a:redhat:enterprise_linux:eap7-httpcomponents-client", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.3", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2-to-eap7.3", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.3-server", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-compensations", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-idlj", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-integration", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-api", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-bridge", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-integration", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-util", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-txframework", "p-cpe:/a:redhat:enterprise_linux:eap7-opentracing-interceptors", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-atom-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-cdi", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client-microprofile", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-crypto", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson2-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxb-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxrs", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jettison-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jose-jwt", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jsapi", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-binding-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-p-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-multipart-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-rxjava2", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-spring", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-validator-provider-11", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-yaml-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-discovery-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules"], "id": "REDHAT-RHSA-2021-0248.NASL", "href": "https://www.tenable.com/plugins/nessus/145407", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0248. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145407);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/11\");\n\n script_cve_id(\n \"CVE-2020-13956\",\n \"CVE-2020-25633\",\n \"CVE-2020-25640\",\n \"CVE-2020-25689\",\n \"CVE-2020-27782\",\n \"CVE-2020-27822\"\n );\n script_xref(name:\"RHSA\", value:\"2021:0248\");\n\n script_name(english:\"RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.3.5 (RHSA-2021:0248)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0248 advisory.\n\n - apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)\n\n - resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's\n WebApplicationException handling (CVE-2020-25633)\n\n - wildfly: resource adapter logs plaintext JMS password at warning level on connection error\n (CVE-2020-25640)\n\n - wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-\n controller (CVE-2020-25689)\n\n - undertow: special character in query results in server errors (CVE-2020-27782)\n\n - wildfly: Potential Memory leak in Wildfly when using OpenTracing (CVE-2020-27822)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/20.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/209.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/400.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/401.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/532.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-13956\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25633\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25640\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25689\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-27782\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-27822\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0248\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1879042\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1881637\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1886587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1893070\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1901304\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1904060\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25633\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-25640\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 209, 400, 401, 532);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hal-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-httpcomponents-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2-to-eap7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.3-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-compensations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-idlj\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-integration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-bridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-integration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-txframework\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-opentracing-interceptors\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-atom-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-cdi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client-microprofile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-crypto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson2-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxb-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxrs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jettison-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jose-jwt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jsapi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-binding-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-p-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-multipart-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-rxjava2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-spring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-validator-provider-11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-yaml-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-discovery-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nvar os_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar repositories = {\n 'jboss_enterprise_application_platform_7_3_el8': [\n 'jb-eap-7.3-for-rhel-8-x86_64-debug-rpms',\n 'jb-eap-7.3-for-rhel-8-x86_64-rpms',\n 'jb-eap-7.3-for-rhel-8-x86_64-source-rpms'\n ]\n};\n\nvar repo_sets = rhel_get_valid_repo_sets(repositories:repositories);\nif(repo_sets == RHEL_REPOS_NO_OVERLAP_MESSAGE) audit(AUDIT_PACKAGE_LIST_MISSING, RHEL_REPO_AUDIT_PACKAGE_LIST_DETAILS);\n\nvar pkgs = [\n {'reference':'eap7-activemq-artemis-2.9.0-7.redhat_00017.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-cli-2.9.0-7.redhat_00017.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-commons-2.9.0-7.redhat_00017.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-core-client-2.9.0-7.redhat_00017.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-dto-2.9.0-7.redhat_00017.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-hornetq-protocol-2.9.0-7.redhat_00017.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-hqclient-protocol-2.9.0-7.redhat_00017.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-jdbc-store-2.9.0-7.redhat_00017.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-jms-client-2.9.0-7.redhat_00017.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-jms-server-2.9.0-7.redhat_00017.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-journal-2.9.0-7.redhat_00017.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-ra-2.9.0-7.redhat_00017.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-selector-2.9.0-7.redhat_00017.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-server-2.9.0-7.redhat_00017.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-service-extensions-2.9.0-7.redhat_00017.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-tools-2.9.0-7.redhat_00017.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-glassfish-jsf-2.3.9-12.SP13_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-hal-console-3.2.12-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-hibernate-5.3.20-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-hibernate-core-5.3.20-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-hibernate-entitymanager-5.3.20-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-hibernate-envers-5.3.20-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-hibernate-java8-5.3.20-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-httpcomponents-client-4.5.13-1.redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-ejb-client-4.0.37-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-genericjms-2.0.8-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-modules-1.11.0-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-remoting-5.0.20-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-cli-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-core-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-eap6.4-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-eap7.0-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-eap7.1-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-eap7.2-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-eap7.3-server-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly10.0-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly10.1-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly11.0-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly12.0-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly13.0-server-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly14.0-server-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly15.0-server-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly16.0-server-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly17.0-server-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly18.0-server-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly8.2-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly9.0-1.7.2-4.Final_redhat_00005.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-xnio-base-3.7.12-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-narayana-5.9.10-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-narayana-compensations-5.9.10-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-narayana-jbosstxbridge-5.9.10-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-narayana-jbossxts-5.9.10-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-narayana-jts-idlj-5.9.10-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-narayana-jts-integration-5.9.10-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-narayana-restat-api-5.9.10-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-narayana-restat-bridge-5.9.10-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-narayana-restat-integration-5.9.10-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-narayana-restat-util-5.9.10-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-narayana-txframework-5.9.10-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-opentracing-interceptors-0.0.4.1-2.redhat_00002.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-resteasy-3.11.3-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-resteasy-atom-provider-3.11.3-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-resteasy-cdi-3.11.3-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-resteasy-client-3.11.3-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-resteasy-client-microprofile-3.11.3-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-resteasy-crypto-3.11.3-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-resteasy-jackson-provider-3.11.3-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-resteasy-jackson2-provider-3.11.3-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-resteasy-jaxb-provider-3.11.3-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-resteasy-jaxrs-3.11.3-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-resteasy-jettison-provider-3.11.3-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-resteasy-jose-jwt-3.11.3-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-resteasy-jsapi-3.11.3-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-resteasy-json-binding-provider-3.11.3-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-resteasy-json-p-provider-3.11.3-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-resteasy-multipart-provider-3.11.3-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-resteasy-rxjava2-3.11.3-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-resteasy-spring-3.11.3-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-resteasy-validator-provider-11-3.11.3-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-resteasy-yaml-provider-3.11.3-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-undertow-2.0.33-1.SP2_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-wildfly-7.3.5-2.GA_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-wildfly-discovery-client-1.2.1-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-wildfly-elytron-1.10.10-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-wildfly-elytron-tool-1.10.10-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-wildfly-http-client-common-1.0.24-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-wildfly-http-ejb-client-1.0.24-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-wildfly-http-naming-client-1.0.24-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-wildfly-http-transaction-client-1.0.24-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-wildfly-javadocs-7.3.5-2.GA_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-wildfly-modules-7.3.5-2.GA_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n var repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n release &&\n (rhel_decide_repo_check(repo_list:repo_list, repo_sets:repo_sets) || (!exists_check || rpm_exists(release:release, rpm:exists_check))) &&\n rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(repo_sets)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'eap7-activemq-artemis / eap7-activemq-artemis-cli / etc');\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-07-18T20:47:54", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0247 advisory.\n\n - apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)\n\n - resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling (CVE-2020-25633)\n\n - wildfly: resource adapter logs plaintext JMS password at warning level on connection error (CVE-2020-25640)\n\n - wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain- controller (CVE-2020-25689)\n\n - undertow: special character in query results in server errors (CVE-2020-27782)\n\n - wildfly: Potential Memory leak in Wildfly when using OpenTracing (CVE-2020-27822)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "published": "2021-01-25T00:00:00", "type": "nessus", "title": "RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.3.5 (RHSA-2021:0247)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13956", "CVE-2020-25633", "CVE-2020-25640", "CVE-2020-25689", "CVE-2020-27782", "CVE-2020-27822"], "modified": "2022-05-11T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-tools", "p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf", "p-cpe:/a:redhat:enterprise_linux:eap7-hal-console", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8", "p-cpe:/a:redhat:enterprise_linux:eap7-httpcomponents-client", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.3", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2-to-eap7.3", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.3-server", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-compensations", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-idlj", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-integration", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-api", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-bridge", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-integration", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-util", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-txframework", "p-cpe:/a:redhat:enterprise_linux:eap7-opentracing-interceptors", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-atom-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-cdi", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client-microprofile", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-crypto", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson2-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxb-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxrs", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jettison-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jose-jwt", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jsapi", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-binding-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-p-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-multipart-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-rxjava2", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-spring", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-validator-provider-11", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-yaml-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-discovery-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk11", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk8", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules"], "id": "REDHAT-RHSA-2021-0247.NASL", "href": "https://www.tenable.com/plugins/nessus/145405", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0247. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145405);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/11\");\n\n script_cve_id(\n \"CVE-2020-13956\",\n \"CVE-2020-25633\",\n \"CVE-2020-25640\",\n \"CVE-2020-25689\",\n \"CVE-2020-27782\",\n \"CVE-2020-27822\"\n );\n script_xref(name:\"RHSA\", value:\"2021:0247\");\n\n script_name(english:\"RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.3.5 (RHSA-2021:0247)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0247 advisory.\n\n - apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)\n\n - resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's\n WebApplicationException handling (CVE-2020-25633)\n\n - wildfly: resource adapter logs plaintext JMS password at warning level on connection error\n (CVE-2020-25640)\n\n - wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-\n controller (CVE-2020-25689)\n\n - undertow: special character in query results in server errors (CVE-2020-27782)\n\n - wildfly: Potential Memory leak in Wildfly when using OpenTracing (CVE-2020-27822)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/20.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/209.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/400.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/401.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/532.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-13956\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25633\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25640\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25689\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-27782\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-27822\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0247\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1879042\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1881637\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1886587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1893070\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1901304\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1904060\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25633\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-25640\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 209, 400, 401, 532);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hal-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-httpcomponents-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2-to-eap7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.3-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-compensations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-idlj\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-integration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-bridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-integration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-txframework\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-opentracing-interceptors\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-atom-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-cdi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client-microprofile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-crypto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson2-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxb-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxrs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jettison-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jose-jwt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jsapi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-binding-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-p-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-multipart-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-rxjava2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-spring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-validator-provider-11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-yaml-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-discovery-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nvar os_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar repositories = {\n 'jboss_enterprise_application_platform_7_3_el7': [\n 'jb-eap-7.3-for-rhel-7-server-debug-rpms',\n 'jb-eap-7.3-for-rhel-7-server-rpms',\n 'jb-eap-7.3-for-rhel-7-server-source-rpms'\n ]\n};\n\nvar repo_sets = rhel_get_valid_repo_sets(repositories:repositories);\nif(repo_sets == RHEL_REPOS_NO_OVERLAP_MESSAGE) audit(AUDIT_PACKAGE_LIST_MISSING, RHEL_REPO_AUDIT_PACKAGE_LIST_DETAILS);\n\nvar pkgs = [\n {'reference':'eap7-activemq-artemis-2.9.0-7.redhat_00017.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-cli-2.9.0-7.redhat_00017.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-commons-2.9.0-7.redhat_00017.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-core-client-2.9.0-7.redhat_00017.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-dto-2.9.0-7.redhat_00017.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-hornetq-protocol-2.9.0-7.redhat_00017.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-hqclient-protocol-2.9.0-7.redhat_00017.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-jdbc-store-2.9.0-7.redhat_00017.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-jms-client-2.9.0-7.redhat_00017.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-jms-server-2.9.0-7.redhat_00017.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-journal-2.9.0-7.redhat_00017.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-ra-2.9.0-7.redhat_00017.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-selector-2.9.0-7.redhat_00017.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-server-2.9.0-7.redhat_00017.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-service-extensions-2.9.0-7.redhat_00017.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-tools-2.9.0-7.redhat_00017.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-glassfish-jsf-2.3.9-12.SP13_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-hal-console-3.2.12-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-hibernate-5.3.20-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-hibernate-core-5.3.20-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-hibernate-entitymanager-5.3.20-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-hibernate-envers-5.3.20-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-hibernate-java8-5.3.20-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-httpcomponents-client-4.5.13-1.redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-ejb-client-4.0.37-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-genericjms-2.0.8-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-modules-1.11.0-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-remoting-5.0.20-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-cli-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-core-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-eap6.4-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-eap7.0-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-eap7.1-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-eap7.2-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-eap7.3-server-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly10.0-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly10.1-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly11.0-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly12.0-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly13.0-server-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly14.0-server-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly15.0-server-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly16.0-server-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly17.0-server-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly18.0-server-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly8.2-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly9.0-1.7.2-4.Final_redhat_00005.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-xnio-base-3.7.12-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-narayana-5.9.10-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-narayana-compensations-5.9.10-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-narayana-jbosstxbridge-5.9.10-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-narayana-jbossxts-5.9.10-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-narayana-jts-idlj-5.9.10-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-narayana-jts-integration-5.9.10-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-narayana-restat-api-5.9.10-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-narayana-restat-bridge-5.9.10-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-narayana-restat-integration-5.9.10-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-narayana-restat-util-5.9.10-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-narayana-txframework-5.9.10-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-opentracing-interceptors-0.0.4.1-2.redhat_00002.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-resteasy-3.11.3-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-resteasy-atom-provider-3.11.3-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-resteasy-cdi-3.11.3-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-resteasy-client-3.11.3-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-resteasy-client-microprofile-3.11.3-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-resteasy-crypto-3.11.3-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-resteasy-jackson-provider-3.11.3-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-resteasy-jackson2-provider-3.11.3-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-resteasy-jaxb-provider-3.11.3-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-resteasy-jaxrs-3.11.3-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-resteasy-jettison-provider-3.11.3-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-resteasy-jose-jwt-3.11.3-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-resteasy-jsapi-3.11.3-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-resteasy-json-binding-provider-3.11.3-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-resteasy-json-p-provider-3.11.3-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-resteasy-multipart-provider-3.11.3-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-resteasy-rxjava2-3.11.3-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-resteasy-spring-3.11.3-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-resteasy-validator-provider-11-3.11.3-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-resteasy-yaml-provider-3.11.3-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-undertow-2.0.33-1.SP2_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-7.3.5-2.GA_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-discovery-client-1.2.1-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-elytron-1.10.10-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-elytron-tool-1.10.10-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-http-client-common-1.0.24-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-http-ejb-client-1.0.24-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-http-naming-client-1.0.24-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-http-transaction-client-1.0.24-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-java-jdk11-7.3.5-2.GA_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-java-jdk8-7.3.5-2.GA_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-javadocs-7.3.5-2.GA_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-modules-7.3.5-2.GA_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n var repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n release &&\n (rhel_decide_repo_check(repo_list:repo_list, repo_sets:repo_sets) || (!exists_check || rpm_exists(release:release, rpm:exists_check))) &&\n rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(repo_sets)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'eap7-activemq-artemis / eap7-activemq-artemis-cli / etc');\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-07-18T20:49:05", "description": "The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0246 advisory.\n\n - apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)\n\n - resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling (CVE-2020-25633)\n\n - wildfly: resource adapter logs plaintext JMS password at warning level on connection error (CVE-2020-25640)\n\n - wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain- controller (CVE-2020-25689)\n\n - undertow: special character in query results in server errors (CVE-2020-27782)\n\n - wildfly: Potential Memory leak in Wildfly when using OpenTracing (CVE-2020-27822)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "published": "2021-01-25T00:00:00", "type": "nessus", "title": "RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.3.5 (RHSA-2021:0246)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13956", "CVE-2020-25633", "CVE-2020-25640", "CVE-2020-25689", "CVE-2020-27782", "CVE-2020-27822"], "modified": "2022-05-11T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-tools", "p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf", "p-cpe:/a:redhat:enterprise_linux:eap7-hal-console", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8", "p-cpe:/a:redhat:enterprise_linux:eap7-httpcomponents-client", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.3", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2-to-eap7.3", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.3-server", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-compensations", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-idlj", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-integration", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-api", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-bridge", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-integration", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-util", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-txframework", "p-cpe:/a:redhat:enterprise_linux:eap7-opentracing-interceptors", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-atom-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-cdi", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client-microprofile", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-crypto", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson2-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxb-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxrs", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jettison-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jose-jwt", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jsapi", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-binding-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-p-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-multipart-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-rxjava2", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-spring", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-validator-provider-11", "p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-yaml-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-discovery-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules"], "id": "REDHAT-RHSA-2021-0246.NASL", "href": "https://www.tenable.com/plugins/nessus/145408", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:0246. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145408);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/11\");\n\n script_cve_id(\n \"CVE-2020-13956\",\n \"CVE-2020-25633\",\n \"CVE-2020-25640\",\n \"CVE-2020-25689\",\n \"CVE-2020-27782\",\n \"CVE-2020-27822\"\n );\n script_xref(name:\"RHSA\", value:\"2021:0246\");\n\n script_name(english:\"RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.3.5 (RHSA-2021:0246)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:0246 advisory.\n\n - apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)\n\n - resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's\n WebApplicationException handling (CVE-2020-25633)\n\n - wildfly: resource adapter logs plaintext JMS password at warning level on connection error\n (CVE-2020-25640)\n\n - wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-\n controller (CVE-2020-25689)\n\n - undertow: special character in query results in server errors (CVE-2020-27782)\n\n - wildfly: Potential Memory leak in Wildfly when using OpenTracing (CVE-2020-27822)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/20.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/209.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/400.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/401.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/532.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-13956\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25633\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25640\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25689\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-27782\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-27822\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:0246\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1879042\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1881637\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1886587\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1893070\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1901304\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1904060\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25633\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-25640\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 209, 400, 401, 532);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hal-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-httpcomponents-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2-to-eap7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.3-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-compensations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-idlj\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-integration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-bridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-integration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-txframework\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-opentracing-interceptors\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-atom-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-cdi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-client-microprofile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-crypto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jackson2-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxb-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jaxrs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jettison-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jose-jwt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-jsapi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-binding-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-json-p-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-multipart-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-rxjava2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-spring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-validator-provider-11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-resteasy-yaml-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-discovery-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nvar os_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar repositories = {\n 'jboss_enterprise_application_platform_7_3_el6': [\n 'jb-eap-7.3-for-rhel-6-server-debug-rpms',\n 'jb-eap-7.3-for-rhel-6-server-rpms',\n 'jb-eap-7.3-for-rhel-6-server-source-rpms'\n ]\n};\n\nvar repo_sets = rhel_get_valid_repo_sets(repositories:repositories);\nif(repo_sets == RHEL_REPOS_NO_OVERLAP_MESSAGE) audit(AUDIT_PACKAGE_LIST_MISSING, RHEL_REPO_AUDIT_PACKAGE_LIST_DETAILS);\n\nvar pkgs = [\n {'reference':'eap7-activemq-artemis-2.9.0-7.redhat_00017.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-cli-2.9.0-7.redhat_00017.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-commons-2.9.0-7.redhat_00017.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-core-client-2.9.0-7.redhat_00017.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-dto-2.9.0-7.redhat_00017.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-hornetq-protocol-2.9.0-7.redhat_00017.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-hqclient-protocol-2.9.0-7.redhat_00017.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-jdbc-store-2.9.0-7.redhat_00017.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-jms-client-2.9.0-7.redhat_00017.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-jms-server-2.9.0-7.redhat_00017.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-journal-2.9.0-7.redhat_00017.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-ra-2.9.0-7.redhat_00017.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-selector-2.9.0-7.redhat_00017.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-server-2.9.0-7.redhat_00017.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-service-extensions-2.9.0-7.redhat_00017.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-tools-2.9.0-7.redhat_00017.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-glassfish-jsf-2.3.9-12.SP13_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-hal-console-3.2.12-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-hibernate-5.3.20-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-hibernate-core-5.3.20-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-hibernate-entitymanager-5.3.20-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-hibernate-envers-5.3.20-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-hibernate-java8-5.3.20-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-httpcomponents-client-4.5.13-1.redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-ejb-client-4.0.37-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-genericjms-2.0.8-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-modules-1.11.0-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-remoting-5.0.20-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-cli-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-core-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-eap6.4-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-eap7.0-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-eap7.1-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-eap7.2-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-eap7.3-server-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly10.0-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly10.1-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly11.0-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly12.0-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly13.0-server-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly14.0-server-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly15.0-server-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly16.0-server-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly17.0-server-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly18.0-server-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly8.2-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly9.0-1.7.2-4.Final_redhat_00005.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-xnio-base-3.7.12-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-narayana-5.9.10-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-narayana-compensations-5.9.10-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-narayana-jbosstxbridge-5.9.10-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-narayana-jbossxts-5.9.10-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-narayana-jts-idlj-5.9.10-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-narayana-jts-integration-5.9.10-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-narayana-restat-api-5.9.10-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-narayana-restat-bridge-5.9.10-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-narayana-restat-integration-5.9.10-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-narayana-restat-util-5.9.10-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-narayana-txframework-5.9.10-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-opentracing-interceptors-0.0.4.1-2.redhat_00002.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-resteasy-3.11.3-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-resteasy-atom-provider-3.11.3-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-resteasy-cdi-3.11.3-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-resteasy-client-3.11.3-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-resteasy-client-microprofile-3.11.3-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-resteasy-crypto-3.11.3-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-resteasy-jackson-provider-3.11.3-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-resteasy-jackson2-provider-3.11.3-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-resteasy-jaxb-provider-3.11.3-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-resteasy-jaxrs-3.11.3-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-resteasy-jettison-provider-3.11.3-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-resteasy-jose-jwt-3.11.3-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-resteasy-jsapi-3.11.3-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-resteasy-json-binding-provider-3.11.3-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-resteasy-json-p-provider-3.11.3-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-resteasy-multipart-provider-3.11.3-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-resteasy-rxjava2-3.11.3-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-resteasy-spring-3.11.3-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-resteasy-validator-provider-11-3.11.3-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-resteasy-yaml-provider-3.11.3-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-undertow-2.0.33-1.SP2_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-wildfly-7.3.5-2.GA_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-wildfly-discovery-client-1.2.1-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-wildfly-elytron-1.10.10-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-wildfly-elytron-tool-1.10.10-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-wildfly-http-client-common-1.0.24-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-wildfly-http-ejb-client-1.0.24-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-wildfly-http-naming-client-1.0.24-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-wildfly-http-transaction-client-1.0.24-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-wildfly-javadocs-7.3.5-2.GA_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-wildfly-modules-7.3.5-2.GA_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n var repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n release &&\n (rhel_decide_repo_check(repo_list:repo_list, repo_sets:repo_sets) || (!exists_check || rpm_exists(release:release, rpm:exists_check))) &&\n rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(repo_sets)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'eap7-activemq-artemis / eap7-activemq-artemis-cli / etc');\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-16T15:37:45", "description": "Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.\n\nCVE-2020-9484\n\nWhen using Apache Tomcat and an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter='null' (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.\n\nCVE-2020-11996\n\nA specially crafted sequence of HTTP/2 requests sent to Apache Tomcat could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.\n\nFor Debian 9 stretch, these problems have been fixed in version 8.5.54-0+deb9u2.\n\nWe recommend that you upgrade your tomcat8 packages.\n\nFor the detailed security status of tomcat8 please refer to its security tracker page at:\nhttps://security-tracker.debian.org/tracker/tomcat8\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7, "vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-14T00:00:00", "type": "nessus", "title": "Debian DLA-2279-1 : tomcat8 security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11996", "CVE-2020-9484"], "modified": "2021-06-03T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libservlet3.1-java", "p-cpe:/a:debian:debian_linux:libservlet3.1-java-doc", "p-cpe:/a:debian:debian_linux:libtomcat8-embed-java", "p-cpe:/a:debian:debian_linux:libtomcat8-java", "p-cpe:/a:debian:debian_linux:tomcat8", "p-cpe:/a:debian:debian_linux:tomcat8-admin", "p-cpe:/a:debian:debian_linux:tomcat8-common", "p-cpe:/a:debian:debian_linux:tomcat8-docs", "p-cpe:/a:debian:debian_linux:tomcat8-examples", "p-cpe:/a:debian:debian_linux:tomcat8-user", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2279.NASL", "href": "https://www.tenable.com/plugins/nessus/138393", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2279-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138393);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/03\");\n\n script_cve_id(\"CVE-2020-11996\", \"CVE-2020-9484\");\n script_xref(name:\"IAVA\", value:\"2020-A-0292-S\");\n\n script_name(english:\"Debian DLA-2279-1 : tomcat8 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several security vulnerabilities have been discovered in the Tomcat\nservlet and JSP engine.\n\nCVE-2020-9484\n\nWhen using Apache Tomcat and an attacker is able to control the\ncontents and name of a file on the server; and b) the server is\nconfigured to use the PersistenceManager with a FileStore; and c) the\nPersistenceManager is configured with\nsessionAttributeValueClassNameFilter='null' (the default unless a\nSecurityManager is used) or a sufficiently lax filter to allow the\nattacker provided object to be deserialized; and d) the attacker knows\nthe relative file path from the storage location used by FileStore to\nthe file the attacker has control over; then, using a specifically\ncrafted request, the attacker will be able to trigger remote code\nexecution via deserialization of the file under their control. Note\nthat all of conditions a) to d) must be true for the attack to\nsucceed.\n\nCVE-2020-11996\n\nA specially crafted sequence of HTTP/2 requests sent to Apache Tomcat\ncould trigger high CPU usage for several seconds. If a sufficient\nnumber of such requests were made on concurrent HTTP/2 connections,\nthe server could become unresponsive.\n\nFor Debian 9 stretch, these problems have been fixed in version\n8.5.54-0+deb9u2.\n\nWe recommend that you upgrade your tomcat8 packages.\n\nFor the detailed security status of tomcat8 please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/tomcat8\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/tomcat8\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/tomcat8\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-9484\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet3.1-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet3.1-java-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtomcat8-embed-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtomcat8-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-admin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-user\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"libservlet3.1-java\", reference:\"8.5.54-0+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libservlet3.1-java-doc\", reference:\"8.5.54-0+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libtomcat8-embed-java\", reference:\"8.5.54-0+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libtomcat8-java\", reference:\"8.5.54-0+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8\", reference:\"8.5.54-0+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-admin\", reference:\"8.5.54-0+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-common\", reference:\"8.5.54-0+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-docs\", reference:\"8.5.54-0+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-examples\", reference:\"8.5.54-0+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-user\", reference:\"8.5.54-0+deb9u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-23T15:14:58", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:5341 advisory.\n\n - hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used (CVE-2020-25638)\n\n - wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644)\n\n - jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) (CVE-2020-25649)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2020-12-04T00:00:00", "type": "nessus", "title": "RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.3.4 (RHSA-2020:5341)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25638", "CVE-2020-25644", "CVE-2020-25649"], "modified": "2022-05-11T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-tools", "p-cpe:/a:redhat:enterprise_linux:eap7-fge-btf", "p-cpe:/a:redhat:enterprise_linux:eap7-fge-msg-simple", "p-cpe:/a:redhat:enterprise_linux:eap7-hal-console", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-coreutils", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8", "p-cpe:/a:redhat:enterprise_linux:eap7-jasypt", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.3", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2-to-eap7.3", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.3-server", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk11", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk8", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl-java"], "id": "REDHAT-RHSA-2020-5341.NASL", "href": "https://www.tenable.com/plugins/nessus/143472", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:5341. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143472);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/11\");\n\n script_cve_id(\"CVE-2020-25638\", \"CVE-2020-25644\", \"CVE-2020-25649\");\n script_xref(name:\"RHSA\", value:\"2020:5341\");\n\n script_name(english:\"RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.3.4 (RHSA-2020:5341)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:5341 advisory.\n\n - hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals\n are used (CVE-2020-25638)\n\n - wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644)\n\n - jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity\n (XXE) (CVE-2020-25649)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/89.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/400.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/611.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25638\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25644\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25649\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:5341\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1881353\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1885485\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1887664\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25638\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-25649\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(89, 400, 611);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-fge-btf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-fge-msg-simple\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hal-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-coreutils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jasypt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2-to-eap7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.3-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl-java\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nvar os_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar repositories = {\n 'jboss_enterprise_application_platform_7_3_el7': [\n 'jb-eap-7.3-for-rhel-7-server-debug-rpms',\n 'jb-eap-7.3-for-rhel-7-server-rpms',\n 'jb-eap-7.3-for-rhel-7-server-source-rpms'\n ]\n};\n\nvar repo_sets = rhel_get_valid_repo_sets(repositories:repositories);\nif(repo_sets == RHEL_REPOS_NO_OVERLAP_MESSAGE) audit(AUDIT_PACKAGE_LIST_MISSING, RHEL_REPO_AUDIT_PACKAGE_LIST_DETAILS);\n\nvar pkgs = [\n {'reference':'eap7-activemq-artemis-2.9.0-6.redhat_00016.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-cli-2.9.0-6.redhat_00016.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-commons-2.9.0-6.redhat_00016.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-core-client-2.9.0-6.redhat_00016.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-dto-2.9.0-6.redhat_00016.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-hornetq-protocol-2.9.0-6.redhat_00016.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-hqclient-protocol-2.9.0-6.redhat_00016.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-jdbc-store-2.9.0-6.redhat_00016.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-jms-client-2.9.0-6.redhat_00016.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-jms-server-2.9.0-6.redhat_00016.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-journal-2.9.0-6.redhat_00016.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-ra-2.9.0-6.redhat_00016.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-selector-2.9.0-6.redhat_00016.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-server-2.9.0-6.redhat_00016.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-service-extensions-2.9.0-6.redhat_00016.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-activemq-artemis-tools-2.9.0-6.redhat_00016.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-fge-btf-1.2.0-1.redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-fge-msg-simple-1.1.0-1.redhat_00007.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-hal-console-3.2.11-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-hibernate-validator-6.0.21-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-hibernate-validator-cdi-6.0.21-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jackson-annotations-2.10.4-1.redhat_00002.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jackson-core-2.10.4-1.redhat_00002.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jackson-coreutils-1.6.0-1.redhat_00006.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jackson-datatype-jdk8-2.10.4-1.redhat_00002.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jackson-datatype-jsr310-2.10.4-1.redhat_00002.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jackson-jaxrs-base-2.10.4-1.redhat_00002.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jackson-jaxrs-json-provider-2.10.4-1.redhat_00002.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jackson-module-jaxb-annotations-2.10.4-3.redhat_00002.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jackson-modules-base-2.10.4-3.redhat_00002.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jackson-modules-java8-2.10.4-1.redhat_00002.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jasypt-1.9.3-1.redhat_00002.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-marshalling-2.0.10-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-marshalling-river-2.0.10-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-remoting-5.0.19-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-cli-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-core-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-eap6.4-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-eap7.0-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-eap7.1-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-eap7.2-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-eap7.3-server-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly10.0-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly10.1-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly11.0-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly12.0-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly13.0-server-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly14.0-server-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly15.0-server-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly16.0-server-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly17.0-server-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly18.0-server-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly8.2-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-server-migration-wildfly9.0-1.7.2-3.Final_redhat_00004.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-jboss-xnio-base-3.7.11-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-undertow-2.0.32-1.SP1_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-7.3.4-3.GA_redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-elytron-1.10.9-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-elytron-tool-1.10.9-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-java-jdk11-7.3.4-3.GA_redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-java-jdk8-7.3.4-3.GA_redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-javadocs-7.3.4-3.GA_redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-modules-7.3.4-3.GA_redhat_00003.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-openssl-1.0.12-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']},\n {'reference':'eap7-wildfly-openssl-java-1.0.12-1.Final_redhat_00001.1.el7eap', 'release':'7', 'el_string':'el7eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el7']}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n var repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n release &&\n (rhel_decide_repo_check(repo_list:repo_list, repo_sets:repo_sets) || (!exists_check || rpm_exists(release:release, rpm:exists_check))) &&\n rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(repo_sets)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'eap7-activemq-artemis / eap7-activemq-artemis-cli / etc');\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-06-23T15:14:34", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:5342 advisory.\n\n - hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used (CVE-2020-25638)\n\n - wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644)\n\n - jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) (CVE-2020-25649)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2020-12-04T00:00:00", "type": "nessus", "title": "RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.3.4 (RHSA-2020:5342)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25638", "CVE-2020-25644", "CVE-2020-25649"], "modified": "2022-05-11T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-tools", "p-cpe:/a:redhat:enterprise_linux:eap7-fge-btf", "p-cpe:/a:redhat:enterprise_linux:eap7-fge-msg-simple", "p-cpe:/a:redhat:enterprise_linux:eap7-hal-console", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-coreutils", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8", "p-cpe:/a:redhat:enterprise_linux:eap7-jasypt", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.3", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2-to-eap7.3", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.3-server", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl-java"], "id": "REDHAT-RHSA-2020-5342.NASL", "href": "https://www.tenable.com/plugins/nessus/143474", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:5342. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143474);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/11\");\n\n script_cve_id(\"CVE-2020-25638\", \"CVE-2020-25644\", \"CVE-2020-25649\");\n script_xref(name:\"RHSA\", value:\"2020:5342\");\n\n script_name(english:\"RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.3.4 (RHSA-2020:5342)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:5342 advisory.\n\n - hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals\n are used (CVE-2020-25638)\n\n - wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644)\n\n - jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity\n (XXE) (CVE-2020-25649)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/89.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/400.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/611.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25638\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25644\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25649\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:5342\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1881353\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1885485\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1887664\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25638\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-25649\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(89, 400, 611);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-fge-btf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-fge-msg-simple\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hal-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-coreutils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jasypt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2-to-eap7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.3-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl-java\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nvar os_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar repositories = {\n 'jboss_enterprise_application_platform_7_3_el8': [\n 'jb-eap-7.3-for-rhel-8-x86_64-debug-rpms',\n 'jb-eap-7.3-for-rhel-8-x86_64-rpms',\n 'jb-eap-7.3-for-rhel-8-x86_64-source-rpms'\n ]\n};\n\nvar repo_sets = rhel_get_valid_repo_sets(repositories:repositories);\nif(repo_sets == RHEL_REPOS_NO_OVERLAP_MESSAGE) audit(AUDIT_PACKAGE_LIST_MISSING, RHEL_REPO_AUDIT_PACKAGE_LIST_DETAILS);\n\nvar pkgs = [\n {'reference':'eap7-activemq-artemis-2.9.0-6.redhat_00016.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-cli-2.9.0-6.redhat_00016.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-commons-2.9.0-6.redhat_00016.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-core-client-2.9.0-6.redhat_00016.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-dto-2.9.0-6.redhat_00016.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-hornetq-protocol-2.9.0-6.redhat_00016.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-hqclient-protocol-2.9.0-6.redhat_00016.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-jdbc-store-2.9.0-6.redhat_00016.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-jms-client-2.9.0-6.redhat_00016.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-jms-server-2.9.0-6.redhat_00016.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-journal-2.9.0-6.redhat_00016.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-ra-2.9.0-6.redhat_00016.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-selector-2.9.0-6.redhat_00016.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-server-2.9.0-6.redhat_00016.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-service-extensions-2.9.0-6.redhat_00016.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-activemq-artemis-tools-2.9.0-6.redhat_00016.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-fge-btf-1.2.0-1.redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-fge-msg-simple-1.1.0-1.redhat_00007.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-hal-console-3.2.11-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-hibernate-validator-6.0.21-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-hibernate-validator-cdi-6.0.21-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jackson-annotations-2.10.4-1.redhat_00002.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jackson-core-2.10.4-1.redhat_00002.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jackson-coreutils-1.6.0-1.redhat_00006.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jackson-datatype-jdk8-2.10.4-1.redhat_00002.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jackson-datatype-jsr310-2.10.4-1.redhat_00002.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jackson-jaxrs-base-2.10.4-1.redhat_00002.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jackson-jaxrs-json-provider-2.10.4-1.redhat_00002.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jackson-module-jaxb-annotations-2.10.4-3.redhat_00002.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jackson-modules-base-2.10.4-3.redhat_00002.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jackson-modules-java8-2.10.4-1.redhat_00002.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jasypt-1.9.3-1.redhat_00002.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-marshalling-2.0.10-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-marshalling-river-2.0.10-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-remoting-5.0.19-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-cli-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-core-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-eap6.4-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-eap7.0-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-eap7.1-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-eap7.2-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-eap7.3-server-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly10.0-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly10.1-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly11.0-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly12.0-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly13.0-server-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly14.0-server-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly15.0-server-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly16.0-server-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly17.0-server-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly18.0-server-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly8.2-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-server-migration-wildfly9.0-1.7.2-3.Final_redhat_00004.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-jboss-xnio-base-3.7.11-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-undertow-2.0.32-1.SP1_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-wildfly-7.3.4-3.GA_redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-wildfly-elytron-1.10.9-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-wildfly-elytron-tool-1.10.9-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-wildfly-javadocs-7.3.4-3.GA_redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-wildfly-modules-7.3.4-3.GA_redhat_00003.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-wildfly-openssl-1.0.12-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']},\n {'reference':'eap7-wildfly-openssl-java-1.0.12-1.Final_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el8']}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n var repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n release &&\n (rhel_decide_repo_check(repo_list:repo_list, repo_sets:repo_sets) || (!exists_check || rpm_exists(release:release, rpm:exists_check))) &&\n rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(repo_sets)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'eap7-activemq-artemis / eap7-activemq-artemis-cli / etc');\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-06-23T15:16:05", "description": "The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:5340 advisory.\n\n - hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used (CVE-2020-25638)\n\n - wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644)\n\n - jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) (CVE-2020-25649)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2020-12-04T00:00:00", "type": "nessus", "title": "RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.3.4 (RHSA-2020:5340)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25638", "CVE-2020-25644", "CVE-2020-25649"], "modified": "2022-05-11T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-tools", "p-cpe:/a:redhat:enterprise_linux:eap7-fge-btf", "p-cpe:/a:redhat:enterprise_linux:eap7-fge-msg-simple", "p-cpe:/a:redhat:enterprise_linux:eap7-hal-console", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-coreutils", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base", "p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8", "p-cpe:/a:redhat:enterprise_linux:eap7-jasypt", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.3", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2-to-eap7.3", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.3-server", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl-java"], "id": "REDHAT-RHSA-2020-5340.NASL", "href": "https://www.tenable.com/plugins/nessus/143473", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:5340. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143473);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/11\");\n\n script_cve_id(\"CVE-2020-25638\", \"CVE-2020-25644\", \"CVE-2020-25649\");\n script_xref(name:\"RHSA\", value:\"2020:5340\");\n\n script_name(english:\"RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.3.4 (RHSA-2020:5340)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:5340 advisory.\n\n - hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals\n are used (CVE-2020-25638)\n\n - wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644)\n\n - jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity\n (XXE) (CVE-2020-25649)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/89.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/400.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/611.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25638\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25644\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25649\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:5340\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1881353\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1885485\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1887664\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25638\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-25649\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(89, 400, 611);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-fge-btf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-fge-msg-simple\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hal-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-coreutils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jasypt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2-to-eap7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.3-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl-java\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nvar os_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar repositories = {\n 'jboss_enterprise_application_platform_7_3_el6': [\n 'jb-eap-7.3-for-rhel-6-server-debug-rpms',\n 'jb-eap-7.3-for-rhel-6-server-rpms',\n 'jb-eap-7.3-for-rhel-6-server-source-rpms'\n ]\n};\n\nvar repo_sets = rhel_get_valid_repo_sets(repositories:repositories);\nif(repo_sets == RHEL_REPOS_NO_OVERLAP_MESSAGE) audit(AUDIT_PACKAGE_LIST_MISSING, RHEL_REPO_AUDIT_PACKAGE_LIST_DETAILS);\n\nvar pkgs = [\n {'reference':'eap7-activemq-artemis-2.9.0-6.redhat_00016.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-cli-2.9.0-6.redhat_00016.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-commons-2.9.0-6.redhat_00016.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-core-client-2.9.0-6.redhat_00016.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-dto-2.9.0-6.redhat_00016.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-hornetq-protocol-2.9.0-6.redhat_00016.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-hqclient-protocol-2.9.0-6.redhat_00016.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-jdbc-store-2.9.0-6.redhat_00016.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-jms-client-2.9.0-6.redhat_00016.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-jms-server-2.9.0-6.redhat_00016.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-journal-2.9.0-6.redhat_00016.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-ra-2.9.0-6.redhat_00016.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-selector-2.9.0-6.redhat_00016.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-server-2.9.0-6.redhat_00016.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-service-extensions-2.9.0-6.redhat_00016.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-tools-2.9.0-6.redhat_00016.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-fge-btf-1.2.0-1.redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-fge-msg-simple-1.1.0-1.redhat_00007.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-hal-console-3.2.11-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-hibernate-validator-6.0.21-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-hibernate-validator-cdi-6.0.21-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jackson-annotations-2.10.4-1.redhat_00002.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jackson-core-2.10.4-1.redhat_00002.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jackson-coreutils-1.6.0-1.redhat_00006.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jackson-datatype-jdk8-2.10.4-1.redhat_00002.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jackson-datatype-jsr310-2.10.4-1.redhat_00002.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jackson-jaxrs-base-2.10.4-1.redhat_00002.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jackson-jaxrs-json-provider-2.10.4-1.redhat_00002.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jackson-module-jaxb-annotations-2.10.4-3.redhat_00002.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jackson-modules-base-2.10.4-3.redhat_00002.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jackson-modules-java8-2.10.4-1.redhat_00002.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jasypt-1.9.3-1.redhat_00002.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-marshalling-2.0.10-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-marshalling-river-2.0.10-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-remoting-5.0.19-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-cli-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-core-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-eap6.4-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-eap7.0-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-eap7.1-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-eap7.2-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-eap7.3-server-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly10.0-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly10.1-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly11.0-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly12.0-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly13.0-server-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly14.0-server-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly15.0-server-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly16.0-server-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly17.0-server-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly18.0-server-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly8.2-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-server-migration-wildfly9.0-1.7.2-3.Final_redhat_00004.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-jboss-xnio-base-3.7.11-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-undertow-2.0.32-1.SP1_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-wildfly-7.3.4-3.GA_redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-wildfly-elytron-1.10.9-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-wildfly-elytron-tool-1.10.9-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-wildfly-javadocs-7.3.4-3.GA_redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-wildfly-modules-7.3.4-3.GA_redhat_00003.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-wildfly-openssl-1.0.12-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-wildfly-openssl-java-1.0.12-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n var repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n release &&\n (rhel_decide_repo_check(repo_list:repo_list, repo_sets:repo_sets) || (!exists_check || rpm_exists(release:release, rpm:exists_check))) &&\n rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(repo_sets)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'eap7-activemq-artemis / eap7-activemq-artemis-cli / etc');\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-08-13T17:00:03", "description": "The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3303 advisory.\n\n - tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935)\n\n - tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling (CVE-2020-1935)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 4.8, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2020-08-04T00:00:00", "type": "nessus", "title": "RHEL 6 : Red Hat JBoss Web Server 3.1 Service Pack 10 (RHSA-2020:3303)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13935", "CVE-2020-1935"], "modified": "2021-10-12T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:tomcat7", "p-cpe:/a:redhat:enterprise_linux:tomcat7-admin-webapps", "p-cpe:/a:redhat:enterprise_linux:tomcat7-docs-webapp", "p-cpe:/a:redhat:enterprise_linux:tomcat7-el-2.2-api", "p-cpe:/a:redhat:enterprise_linux:tomcat7-javadoc", "p-cpe:/a:redhat:enterprise_linux:tomcat7-jsp-2.2-api", "p-cpe:/a:redhat:enterprise_linux:tomcat7-jsvc", "p-cpe:/a:redhat:enterprise_linux:tomcat7-lib", "p-cpe:/a:redhat:enterprise_linux:tomcat7-log4j", "p-cpe:/a:redhat:enterprise_linux:tomcat7-selinux", "p-cpe:/a:redhat:enterprise_linux:tomcat7-servlet-3.0-api", "p-cpe:/a:redhat:enterprise_linux:tomcat7-webapps", "p-cpe:/a:redhat:enterprise_linux:tomcat8", "p-cpe:/a:redhat:enterprise_linux:tomcat8-admin-webapps", "p-cpe:/a:redhat:enterprise_linux:tomcat8-docs-webapp", "p-cpe:/a:redhat:enterprise_linux:tomcat8-el-2.2-api", "p-cpe:/a:redhat:enterprise_linux:tomcat8-javadoc", "p-cpe:/a:redhat:enterprise_linux:tomcat8-jsp-2.3-api", "p-cpe:/a:redhat:enterprise_linux:tomcat8-jsvc", "p-cpe:/a:redhat:enterprise_linux:tomcat8-lib", "p-cpe:/a:redhat:enterprise_linux:tomcat8-log4j", "p-cpe:/a:redhat:enterprise_linux:tomcat8-selinux", "p-cpe:/a:redhat:enterprise_linux:tomcat8-servlet-3.1-api", "p-cpe:/a:redhat:enterprise_linux:tomcat8-webapps"], "id": "REDHAT-RHSA-2020-3303.NASL", "href": "https://www.tenable.com/plugins/nessus/139323", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:3303. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139323);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/10/12\");\n\n script_cve_id(\"CVE-2020-1935\", \"CVE-2020-13935\");\n script_xref(name:\"RHSA\", value:\"2020:3303\");\n script_xref(name:\"IAVB\", value:\"2020-B-0010-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0316-S\");\n\n script_name(english:\"RHEL 6 : Red Hat JBoss Web Server 3.1 Service Pack 10 (RHSA-2020:3303)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:3303 advisory.\n\n - tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS\n (CVE-2020-13935)\n\n - tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling (CVE-2020-1935)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/400.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/444.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-1935\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-13935\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:3303\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1806835\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1857024\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1935\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(400, 444);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-jsp-2.3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-servlet-3.1-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-webapps\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nvar os_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar repositories = {\n 'jboss_enterprise_web_server_3_0_el6': [\n 'jws-3-for-rhel-6-server-debug-rpms',\n 'jws-3-for-rhel-6-server-rpms',\n 'jws-3-for-rhel-6-server-source-rpms'\n ],\n 'jboss_enterprise_web_server_3_0_el7': [\n 'jws-3-for-rhel-7-server-debug-rpms',\n 'jws-3-for-rhel-7-server-rpms',\n 'jws-3-for-rhel-7-server-source-rpms'\n ],\n 'jboss_enterprise_web_server_3_1_el6': [\n 'jws-3-for-rhel-6-server-debug-rpms',\n 'jws-3-for-rhel-6-server-rpms',\n 'jws-3-for-rhel-6-server-source-rpms'\n ],\n 'jboss_enterprise_web_server_3_1_el7': [\n 'jws-3-for-rhel-7-server-debug-rpms',\n 'jws-3-for-rhel-7-server-rpms',\n 'jws-3-for-rhel-7-server-source-rpms'\n ]\n};\n\nvar repo_sets = rhel_get_valid_repo_sets(repositories:repositories);\nif(repo_sets == RHEL_REPOS_NO_OVERLAP_MESSAGE) audit(AUDIT_PACKAGE_LIST_MISSING, RHEL_REPO_AUDIT_PACKAGE_LIST_DETAILS);\n\nvar pkgs = [\n {'reference':'tomcat7-7.0.70-41.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat7-admin-webapps-7.0.70-41.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat7-docs-webapp-7.0.70-41.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat7-el-2.2-api-7.0.70-41.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat7-javadoc-7.0.70-41.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat7-jsp-2.2-api-7.0.70-41.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat7-jsvc-7.0.70-41.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat7-lib-7.0.70-41.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat7-log4j-7.0.70-41.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat7-selinux-7.0.70-41.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat7-servlet-3.0-api-7.0.70-41.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat7-webapps-7.0.70-41.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat8-8.0.36-45.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat8-admin-webapps-8.0.36-45.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat8-docs-webapp-8.0.36-45.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat8-el-2.2-api-8.0.36-45.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat8-javadoc-8.0.36-45.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat8-jsp-2.3-api-8.0.36-45.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat8-jsvc-8.0.36-45.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat8-lib-8.0.36-45.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat8-log4j-8.0.36-45.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat8-selinux-8.0.36-45.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat8-servlet-3.1-api-8.0.36-45.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']},\n {'reference':'tomcat8-webapps-8.0.36-45.ep7.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws-3', 'repo_list':['jboss_enterprise_web_server_3_0_el6', 'jboss_enterprise_web_server_3_0_el7', 'jboss_enterprise_web_server_3_1_el6', 'jboss_enterprise_web_server_3_1_el7']}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n var repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n release &&\n (rhel_decide_repo_check(repo_list:repo_list, repo_sets:repo_sets) || (!exists_check || rpm_exists(release:release, rpm:exists_check))) &&\n rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(repo_sets)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'tomcat7 / tomcat7-admin-webapps / tomcat7-docs-webapp / etc');\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-06-29T18:40:45", "description": "According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.(CVE-2020-13935)\n\n - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server and b) the server is configured to use the PersistenceManager with a FileStore and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter='null' (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.\n Note that all of conditions a) to d) must be true for the attack to succeed.(CVE-2020-9484)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7, "vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-09-28T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP3 : tomcat (EulerOS-SA-2020-2093)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13935", "CVE-2020-9484"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:tomcat", "p-cpe:/a:huawei:euleros:tomcat-admin-webapps", "p-cpe:/a:huawei:euleros:tomcat-el-2.2-api", "p-cpe:/a:huawei:euleros:tomcat-jsp-2.2-api", "p-cpe:/a:huawei:euleros:tomcat-lib", "p-cpe:/a:huawei:euleros:tomcat-servlet-3.0-api", "p-cpe:/a:huawei:euleros:tomcat-webapps", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2020-2093.NASL", "href": "https://www.tenable.com/plugins/nessus/140860", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140860);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2020-13935\",\n \"CVE-2020-9484\"\n );\n\n script_name(english:\"EulerOS 2.0 SP3 : tomcat (EulerOS-SA-2020-2093)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the tomcat packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - The payload length in a WebSocket frame was not\n correctly validated in Apache Tomcat 10.0.0-M1 to\n 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and\n 7.0.27 to 7.0.104. Invalid payload lengths could\n trigger an infinite loop. Multiple requests with\n invalid payload lengths could lead to a denial of\n service.(CVE-2020-13935)\n\n - When using Apache Tomcat versions 10.0.0-M1 to\n 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and\n 7.0.0 to 7.0.103 if a) an attacker is able to control\n the contents and name of a file on the server and b)\n the server is configured to use the PersistenceManager\n with a FileStore and c) the PersistenceManager is\n configured with\n sessionAttributeValueClassNameFilter='null' (the\n default unless a SecurityManager is used) or a\n sufficiently lax filter to allow the attacker provided\n object to be deserialized and d) the attacker knows the\n relative file path from the storage location used by\n FileStore to the file the attacker has control over\n then, using a specifically crafted request, the\n attacker will be able to trigger remote code execution\n via deserialization of the file under their control.\n Note that all of conditions a) to d) must be true for\n the attack to succeed.(CVE-2020-9484)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-2093\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?329db584\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected tomcat packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-9484\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"tomcat-7.0.76-8.h10\",\n \"tomcat-admin-webapps-7.0.76-8.h10\",\n \"tomcat-el-2.2-api-7.0.76-8.h10\",\n \"tomcat-jsp-2.2-api-7.0.76-8.h10\",\n \"tomcat-lib-7.0.76-8.h10\",\n \"tomcat-servlet-3.0-api-7.0.76-8.h10\",\n \"tomcat-webapps-7.0.76-8.h10\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-26T18:30:13", "description": "According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.(CVE-2020-1938)\n\n - In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.(CVE-2020-1935)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-03-23T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP8 : tomcat (EulerOS-SA-2020-1302)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-1935", "CVE-2020-1938"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:tomcat", "p-cpe:/a:huawei:euleros:tomcat-admin-webapps", "p-cpe:/a:huawei:euleros:tomcat-el-3.0-api", "p-cpe:/a:huawei:euleros:tomcat-jsp-2.3-api", "p-cpe:/a:huawei:euleros:tomcat-lib", "p-cpe:/a:huawei:euleros:tomcat-servlet-4.0-api", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2020-1302.NASL", "href": "https://www.tenable.com/plugins/nessus/134794", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134794);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\"CVE-2020-1935\", \"CVE-2020-1938\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n\n script_name(english:\"EulerOS 2.0 SP8 : tomcat (EulerOS-SA-2020-1302)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the tomcat packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - When using the Apache JServ Protocol (AJP), care must\n be taken when trusting incoming connections to Apache\n Tomcat. Tomcat treats AJP connections as having higher\n trust than, for example, a similar HTTP connection. If\n such connections are available to an attacker, they can\n be exploited in ways that may be surprising. In Apache\n Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0\n to 7.0.99, Tomcat shipped with an AJP Connector enabled\n by default that listened on all configured IP\n addresses. It was expected (and recommended in the\n security guide) that this Connector would be disabled\n if not required. This vulnerability report identified a\n mechanism that allowed: - returning arbitrary files\n from anywhere in the web application - processing any\n file in the web application as a JSP Further, if the\n web application allowed file upload and stored those\n files within the web application (or the attacker was\n able to control the content of the web application by\n some other means) then this, along with the ability to\n process a file as a JSP, made remote code execution\n possible. It is important to note that mitigation is\n only required if an AJP port is accessible to untrusted\n users. Users wishing to take a defence-in-depth\n approach and block the vector that permits returning\n arbitrary files and execution as JSP may upgrade to\n Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A\n number of changes were made to the default AJP\n Connector configuration in 9.0.31 to harden the default\n configuration. It is likely that users upgrading to\n 9.0.31, 8.5.51 or 7.0.100 or later will need to make\n small changes to their configurations.(CVE-2020-1938)\n\n - In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50\n and 7.0.0 to 7.0.99 the HTTP header parsing code used\n an approach to end-of-line parsing that allowed some\n invalid HTTP headers to be parsed as valid. This led to\n a possibility of HTTP Request Smuggling if Tomcat was\n located behind a reverse proxy that incorrectly handled\n the invalid Transfer-Encoding header in a particular\n manner. Such a reverse proxy is considered\n unlikely.(CVE-2020-1935)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1302\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56038754\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected tomcat packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1938\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-el-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-jsp-2.3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-servlet-4.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(8)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"tomcat-9.0.10-1.h6.eulerosv2r8\",\n \"tomcat-admin-webapps-9.0.10-1.h6.eulerosv2r8\",\n \"tomcat-el-3.0-api-9.0.10-1.h6.eulerosv2r8\",\n \"tomcat-jsp-2.3-api-9.0.10-1.h6.eulerosv2r8\",\n \"tomcat-lib-9.0.10-1.h6.eulerosv2r8\",\n \"tomcat-servlet-4.0-api-9.0.10-1.h6.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"8\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T15:43:41", "description": "The remote Ubuntu 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4532-1 advisory.\n\n - Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a Transfer- Encoding : chunked line), which leads to HTTP request smuggling. (CVE-2019-16869)\n\n - HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an invalid fold.\n (CVE-2019-20444)\n\n - HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. (CVE-2019-20445)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "published": "2020-09-23T00:00:00", "type": "nessus", "title": "Ubuntu 18.04 LTS : Netty vulnerabilities (USN-4532-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16869", "CVE-2019-20444", "CVE-2019-20445"], "modified": "2020-11-24T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:libnetty-3.9-java"], "id": "UBUNTU_USN-4532-1.NASL", "href": "https://www.tenable.com/plugins/nessus/140753", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4532-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140753);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/24\");\n\n script_cve_id(\"CVE-2019-16869\", \"CVE-2019-20444\", \"CVE-2019-20445\");\n script_xref(name:\"USN\", value:\"4532-1\");\n\n script_name(english:\"Ubuntu 18.04 LTS : Netty vulnerabilities (USN-4532-1)\");\n script_summary(english:\"Checks the dpkg output for the updated package\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in\nthe USN-4532-1 advisory.\n\n - Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a Transfer-\n Encoding : chunked line), which leads to HTTP request smuggling. (CVE-2019-16869)\n\n - HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be\n interpreted as a separate header with an incorrect syntax, or might be interpreted as an invalid fold.\n (CVE-2019-20444)\n\n - HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second\n Content-Length header, or by a Transfer-Encoding header. (CVE-2019-20445)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4532-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected libnetty-3.9-java package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-20445\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libnetty-3.9-java\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\npkgs = [\n {'osver': '18.04', 'pkgname': 'libnetty-3.9-java', 'pkgver': '3.9.9.Final-1+deb9u1build0.18.04.1'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libnetty-3.9-java');\n}", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-06-23T15:07:15", "description": "Several vulnerabilities have been discovered in netty-3.9, a Java NIO client/server socket framework.\n\nCVE-2019-16869\n\nNetty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a 'Transfer-Encoding : chunked' line), which leads to HTTP request smuggling.\n\nCVE-2019-20444\n\nHttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an 'invalid fold.'\n\nCVE-2019-20445\n\nHttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.\n\nFor Debian 9 stretch, these problems have been fixed in version 3.9.9.Final-1+deb9u1.\n\nWe recommend that you upgrade your netty-3.9 packages.\n\nFor the detailed security status of netty-3.9 please refer to its security tracker page at:\nhttps://security-tracker.debian.org/tracker/netty-3.9\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "published": "2020-09-08T00:00:00", "type": "nessus", "title": "Debian DLA-2365-1 : netty-3.9 security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16869", "CVE-2019-20444", "CVE-2019-20445"], "modified": "2020-09-10T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libnetty-3.9-java", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2365.NASL", "href": "https://www.tenable.com/plugins/nessus/140296", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2365-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(140296);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/10\");\n\n script_cve_id(\"CVE-2019-16869\", \"CVE-2019-20444\", \"CVE-2019-20445\");\n\n script_name(english:\"Debian DLA-2365-1 : netty-3.9 security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several vulnerabilities have been discovered in netty-3.9, a Java NIO\nclient/server socket framework.\n\nCVE-2019-16869\n\nNetty before 4.1.42.Final mishandles whitespace before the colon in\nHTTP headers (such as a 'Transfer-Encoding : chunked' line), which\nleads to HTTP request smuggling.\n\nCVE-2019-20444\n\nHttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header\nthat lacks a colon, which might be interpreted as a separate header\nwith an incorrect syntax, or might be interpreted as an 'invalid\nfold.'\n\nCVE-2019-20445\n\nHttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length\nheader to be accompanied by a second Content-Length header, or by a\nTransfer-Encoding header.\n\nFor Debian 9 stretch, these problems have been fixed in version\n3.9.9.Final-1+deb9u1.\n\nWe recommend that you upgrade your netty-3.9 packages.\n\nFor the detailed security status of netty-3.9 please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/netty-3.9\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/netty-3.9\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/netty-3.9\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade the affected libnetty-3.9-java package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnetty-3.9-java\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"libnetty-3.9-java\", reference:\"3.9.9.Final-1+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-06-16T14:55:18", "description": "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has tomcat packages installed that are affected by multiple vulnerabilities:\n\n - When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. (CVE-2019-17563)\n\n - In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. (CVE-2020-1935)\n\n - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. (CVE-2020-13935)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-03-10T00:00:00", "type": "nessus", "title": "NewStart CGSL CORE 5.04 / MAIN 5.04 : tomcat Multiple Vulnerabilities (NS-SA-2021-0028)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17563", "CVE-2020-13935", "CVE-2020-1935"], "modified": "2022-05-10T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2021-0028_TOMCAT.NASL", "href": "https://www.tenable.com/plugins/nessus/147349", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2021-0028. The text\n# itself is copyright (C) ZTE, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147349);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/10\");\n\n script_cve_id(\"CVE-2019-17563\", \"CVE-2020-1935\", \"CVE-2020-13935\");\n\n script_name(english:\"NewStart CGSL CORE 5.04 / MAIN 5.04 : tomcat Multiple Vulnerabilities (NS-SA-2021-0028)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has tomcat packages installed that are affected by\nmultiple vulnerabilities:\n\n - When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98\n there was a narrow window where an attacker could perform a session fixation attack. The window was\n considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has\n been treated as a security vulnerability. (CVE-2019-17563)\n\n - In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used\n an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led\n to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly\n handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered\n unlikely. (CVE-2020-1935)\n\n - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to\n 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could\n trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of\n service. (CVE-2020-13935)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2021-0028\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL tomcat packages. Note that updated packages may not be available yet. Please contact ZTE for\nmore information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1935\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-17563\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/ZTE-CGSL/release');\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');\n\nif (release !~ \"CGSL CORE 5.04\" &&\n release !~ \"CGSL MAIN 5.04\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');\n\nif (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);\n\nflag = 0;\n\npkgs = {\n 'CGSL CORE 5.04': [\n 'tomcat-7.0.76-16.el7_9',\n 'tomcat-admin-webapps-7.0.76-16.el7_9',\n 'tomcat-docs-webapp-7.0.76-16.el7_9',\n 'tomcat-el-2.2-api-7.0.76-16.el7_9',\n 'tomcat-javadoc-7.0.76-16.el7_9',\n 'tomcat-jsp-2.2-api-7.0.76-16.el7_9',\n 'tomcat-jsvc-7.0.76-16.el7_9',\n 'tomcat-lib-7.0.76-16.el7_9',\n 'tomcat-servlet-3.0-api-7.0.76-16.el7_9',\n 'tomcat-webapps-7.0.76-16.el7_9'\n ],\n 'CGSL MAIN 5.04': [\n 'tomcat-7.0.76-16.el7_9',\n 'tomcat-admin-webapps-7.0.76-16.el7_9',\n 'tomcat-docs-webapp-7.0.76-16.el7_9',\n 'tomcat-el-2.2-api-7.0.76-16.el7_9',\n 'tomcat-javadoc-7.0.76-16.el7_9',\n 'tomcat-jsp-2.2-api-7.0.76-16.el7_9',\n 'tomcat-jsvc-7.0.76-16.el7_9',\n 'tomcat-lib-7.0.76-16.el7_9',\n 'tomcat-servlet-3.0-api-7.0.76-16.el7_9',\n 'tomcat-webapps-7.0.76-16.el7_9'\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'tomcat');\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-06-15T16:47:56", "description": "The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has tomcat packages installed that are affected by multiple vulnerabilities:\n\n - When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. (CVE-2019-17563)\n\n - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. (CVE-2020-13935)\n\n - In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. (CVE-2020-1935)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-10-27T00:00:00", "type": "nessus", "title": "NewStart CGSL CORE 5.05 / MAIN 5.05 : tomcat Multiple Vulnerabilities (NS-SA-2021-0144)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17563", "CVE-2020-13935", "CVE-2020-1935"], "modified": "2022-05-09T00:00:00", "cpe": ["p-cpe:/a:zte:cgsl_core:tomcat", "p-cpe:/a:zte:cgsl_core:tomcat-admin-webapps", "p-cpe:/a:zte:cgsl_core:tomcat-docs-webapp", "p-cpe:/a:zte:cgsl_core:tomcat-el-2.2-api", "p-cpe:/a:zte:cgsl_core:tomcat-javadoc", "p-cpe:/a:zte:cgsl_core:tomcat-jsp-2.2-api", "p-cpe:/a:zte:cgsl_core:tomcat-jsvc", "p-cpe:/a:zte:cgsl_core:tomcat-lib", "p-cpe:/a:zte:cgsl_core:tomcat-servlet-3.0-api", "p-cpe:/a:zte:cgsl_core:tomcat-webapps", "p-cpe:/a:zte:cgsl_main:tomcat", "p-cpe:/a:zte:cgsl_main:tomcat-admin-webapps", "p-cpe:/a:zte:cgsl_main:tomcat-docs-webapp", "p-cpe:/a:zte:cgsl_main:tomcat-el-2.2-api", "p-cpe:/a:zte:cgsl_main:tomcat-javadoc", "p-cpe:/a:zte:cgsl_main:tomcat-jsp-2.2-api", "p-cpe:/a:zte:cgsl_main:tomcat-jsvc", "p-cpe:/a:zte:cgsl_main:tomcat-lib", "p-cpe:/a:zte:cgsl_main:tomcat-servlet-3.0-api", "p-cpe:/a:zte:cgsl_main:tomcat-webapps", "cpe:/o:zte:cgsl_core:5", "cpe:/o:zte:cgsl_main:5"], "id": "NEWSTART_CGSL_NS-SA-2021-0144_TOMCAT.NASL", "href": "https://www.tenable.com/plugins/nessus/154555", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2021-0144. The text\n# itself is copyright (C) ZTE, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154555);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\"CVE-2019-17563\", \"CVE-2020-1935\", \"CVE-2020-13935\");\n script_xref(name:\"IAVA\", value:\"2020-A-0140\");\n script_xref(name:\"IAVA\", value:\"2020-A-0316-S\");\n script_xref(name:\"IAVB\", value:\"2020-B-0010-S\");\n\n script_name(english:\"NewStart CGSL CORE 5.05 / MAIN 5.05 : tomcat Multiple Vulnerabilities (NS-SA-2021-0144)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote NewStart CGSL host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has tomcat packages installed that are affected by\nmultiple vulnerabilities:\n\n - When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98\n there was a narrow window where an attacker could perform a session fixation attack. The window was\n considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has\n been treated as a security vulnerability. (CVE-2019-17563)\n\n - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to\n 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could\n trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of\n service. (CVE-2020-13935)\n\n - In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used\n an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led\n to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly\n handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered\n unlikely. (CVE-2020-1935)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2021-0144\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-17563\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-13935\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-1935\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL tomcat packages. Note that updated packages may not be available yet. Please contact ZTE for\nmore information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1935\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-17563\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:tomcat-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:tomcat-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:tomcat-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:tomcat-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:tomcat-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:tomcat-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:tomcat-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:tomcat-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:tomcat-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:tomcat-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:zte:cgsl_core:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:zte:cgsl_main:5\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item('Host/ZTE-CGSL/release');\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');\n\nif (release !~ \"CGSL CORE 5.05\" &&\n release !~ \"CGSL MAIN 5.05\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.05 / NewStart CGSL MAIN 5.05');\n\nif (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);\n\nvar flag = 0;\n\nvar pkgs = {\n 'CGSL CORE 5.05': [\n 'tomcat-7.0.76-16.el7_9',\n 'tomcat-admin-webapps-7.0.76-16.el7_9',\n 'tomcat-docs-webapp-7.0.76-16.el7_9',\n 'tomcat-el-2.2-api-7.0.76-16.el7_9',\n 'tomcat-javadoc-7.0.76-16.el7_9',\n 'tomcat-jsp-2.2-api-7.0.76-16.el7_9',\n 'tomcat-jsvc-7.0.76-16.el7_9',\n 'tomcat-lib-7.0.76-16.el7_9',\n 'tomcat-servlet-3.0-api-7.0.76-16.el7_9',\n 'tomcat-webapps-7.0.76-16.el7_9'\n ],\n 'CGSL MAIN 5.05': [\n 'tomcat-7.0.76-16.el7_9',\n 'tomcat-admin-webapps-7.0.76-16.el7_9',\n 'tomcat-docs-webapp-7.0.76-16.el7_9',\n 'tomcat-el-2.2-api-7.0.76-16.el7_9',\n 'tomcat-javadoc-7.0.76-16.el7_9',\n 'tomcat-jsp-2.2-api-7.0.76-16.el7_9',\n 'tomcat-jsvc-7.0.76-16.el7_9',\n 'tomcat-lib-7.0.76-16.el7_9',\n 'tomcat-servlet-3.0-api-7.0.76-16.el7_9',\n 'tomcat-webapps-7.0.76-16.el7_9'\n ]\n};\nvar pkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'tomcat');\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-08-16T15:33:35", "description": "The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4244 advisory.\n\n - picketbox: JBoss EAP reload to admin-only mode allows authentication bypass (CVE-2020-14299)\n\n - wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl (CVE-2020-14338)\n\n - xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS (CVE-2020-14340)\n\n - cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2020-10-14T00:00:00", "type": "nessus", "title": "RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.3.3 security update on RHEL 6 (Moderate) (RHSA-2020:4244)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-14299", "CVE-2020-14338", "CVE-2020-14340", "CVE-2020-1954"], "modified": "2022-05-12T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-native", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions", "p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-tools", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-commons-codec", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-commons-lang", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services", "p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools", "p-cpe:/a:redhat:enterprise_linux:eap7-artemis-native", "p-cpe:/a:redhat:enterprise_linux:eap7-artemis-native-wildfly", "p-cpe:/a:redhat:enterprise_linux:eap7-bouncycastle", "p-cpe:/a:redhat:enterprise_linux:eap7-bouncycastle-mail", "p-cpe:/a:redhat:enterprise_linux:eap7-bouncycastle-pkix", "p-cpe:/a:redhat:enterprise_linux:eap7-bouncycastle-prov", "p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf", "p-cpe:/a:redhat:enterprise_linux:eap7-hal-console", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers", "p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8", "p-cpe:/a:redhat:enterprise_linux:eap7-httpcomponents-client", "p-cpe:/a:redhat:enterprise_linux:eap7-httpcomponents-core", "p-cpe:/a:redhat:enterprise_linux:eap7-jberet", "p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.3", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2-to-eap7.3", "p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.3-server", "p-cpe:/a:redhat:enterprise_linux:eap7-jgroups", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-compensations", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-idlj", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-integration", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-api", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-bridge", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-integration", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-util", "p-cpe:/a:redhat:enterprise_linux:eap7-narayana-txframework", "p-cpe:/a:redhat:enterprise_linux:eap7-picketbox", "p-cpe:/a:redhat:enterprise_linux:eap7-picketbox-infinispan", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings", "p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8", "p-cpe:/a:redhat:enterprise_linux:eap7-snakeyaml", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow", "p-cpe:/a:redhat:enterprise_linux:eap7-velocity", "p-cpe:/a:redhat:enterprise_linux:eap7-velocity-engine-core", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-transaction-client", "p-cpe:/a:redhat:enterprise_linux:eap7-ws-commons-XmlSchema", "p-cpe:/a:redhat:enterprise_linux:eap7-xerces-j2"], "id": "REDHAT-RHSA-2020-4244.NASL", "href": "https://www.tenable.com/plugins/nessus/141454", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:4244. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141454);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/12\");\n\n script_cve_id(\n \"CVE-2020-1954\",\n \"CVE-2020-14299\",\n \"CVE-2020-14338\",\n \"CVE-2020-14340\"\n );\n script_xref(name:\"RHSA\", value:\"2020:4244\");\n\n script_name(english:\"RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.3.3 security update on RHEL 6 (Moderate) (RHSA-2020:4244)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:4244 advisory.\n\n - picketbox: JBoss EAP reload to admin-only mode allows authentication bypass (CVE-2020-14299)\n\n - wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl\n (CVE-2020-14338)\n\n - xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS\n (CVE-2020-14340)\n\n - cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/20.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/200.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/287.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/400.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-1954\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14299\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14338\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14340\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:4244\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1824301\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1848533\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1860054\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1860218\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14338\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-1954\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 200, 287, 400);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-commons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-core-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-dto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hornetq-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-hqclient-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jdbc-store\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-jms-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-journal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-native\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-ra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-selector\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-service-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-activemq-artemis-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-commons-codec\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-commons-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-artemis-native\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-artemis-native-wildfly\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-bouncycastle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-bouncycastle-mail\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-bouncycastle-pkix\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-bouncycastle-prov\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hal-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-httpcomponents-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-httpcomponents-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jberet\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2-to-eap7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.3-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jgroups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-compensations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-idlj\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-jts-integration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-bridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-integration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-restat-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-narayana-txframework\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketbox-infinispan\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-snakeyaml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-velocity\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-velocity-engine-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-elytron-tool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-transaction-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-ws-commons-XmlSchema\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-xerces-j2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nvar os_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar repositories = {\n 'jboss_enterprise_application_platform_7_3_el6': [\n 'jb-eap-7.3-for-rhel-6-server-debug-rpms',\n 'jb-eap-7.3-for-rhel-6-server-rpms',\n 'jb-eap-7.3-for-rhel-6-server-source-rpms'\n ]\n};\n\nvar repo_sets = rhel_get_valid_repo_sets(repositories:repositories);\nif(repo_sets == RHEL_REPOS_NO_OVERLAP_MESSAGE) audit(AUDIT_PACKAGE_LIST_MISSING, RHEL_REPO_AUDIT_PACKAGE_LIST_DETAILS);\n\nvar pkgs = [\n {'reference':'eap7-activemq-artemis-2.9.0-5.redhat_00011.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-cli-2.9.0-5.redhat_00011.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-commons-2.9.0-5.redhat_00011.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-core-client-2.9.0-5.redhat_00011.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-dto-2.9.0-5.redhat_00011.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-hornetq-protocol-2.9.0-5.redhat_00011.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-hqclient-protocol-2.9.0-5.redhat_00011.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-jdbc-store-2.9.0-5.redhat_00011.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-jms-client-2.9.0-5.redhat_00011.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-jms-server-2.9.0-5.redhat_00011.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-journal-2.9.0-5.redhat_00011.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-native-1.0.2-1.redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-ra-2.9.0-5.redhat_00011.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-selector-2.9.0-5.redhat_00011.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-server-2.9.0-5.redhat_00011.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-service-extensions-2.9.0-5.redhat_00011.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-activemq-artemis-tools-2.9.0-5.redhat_00011.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-apache-commons-codec-1.14.0-1.redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-apache-commons-lang-3.10.0-1.redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-apache-cxf-3.3.7-1.redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-apache-cxf-rt-3.3.7-1.redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-apache-cxf-services-3.3.7-1.redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-apache-cxf-tools-3.3.7-1.redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-artemis-native-1.0.2-3.redhat_1.el6eap', 'cpu':'x86_64', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-artemis-native-wildfly-1.0.2-3.redhat_1.el6eap', 'cpu':'x86_64', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-bouncycastle-1.65.0-1.redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-bouncycastle-mail-1.65.0-1.redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-bouncycastle-pkix-1.65.0-1.redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-bouncycastle-prov-1.65.0-1.redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-glassfish-jsf-2.3.9-11.SP12_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_enterprise_application_platform_7_3_el6']},\n {'reference':'eap7-hal-console-3.2.10-1.Final_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss', 'repo_list':['jboss_en

(RHSA-2021:3140) Moderate: Red Hat Fuse 7.9.0 release and security update

Description

Related