jbossws is vulnerable to information disclosure. The request handler in JBossWS did not correctly verify the resource path when serving WSDL files for custom web service endpoints. This allowed remote attackers to read arbitrary XML files with the permissions of the EAP processs.
{"redhat": [{"lastseen": "2021-10-21T04:45:00", "description": "JBoss Enterprise Application Platform (JBoss EAP) is the market-leading\nplatform for innovative and scalable Java applications. JBoss EAP\nintegrates the JBoss Application Server with JBoss Hibernate and JBoss Seam\ninto a complete, simple enterprise solution.\n\nThis release of JBoss EAP for Red Hat Enterprise Linux 5 serves as a\nreplacement for JBEAP 4.3.0.CP03.\n\nThese updated packages include bug fixes and enhancements which are\ndetailed in the release notes. The link to the release notes is available\nin the References section of this errata.\n\nThe following security issue is also fixed with this release:\n\nThe request handler in JBossWS did not correctly verify the resource path\nwhen serving WSDL files for custom web service endpoints. This allowed\nremote attackers to read arbitrary XML files with the permissions of the\nEAP process. (CVE-2009-0027)\n\nWarning: before applying this update, please back up the JBoss EAP\n\"server/[configuration]/deploy/\" directory, as well as any other customized\nconfiguration files.\n\nAll users of JBoss EAP 4.3 on Red Hat Enterprise Linux 5 are advised to\nupgrade to these updated packages, which resolve these issues.", "cvss3": {}, "published": "2009-03-06T00:00:00", "type": "redhat", "title": "(RHSA-2009:0349) Moderate: JBoss Enterprise Application Platform 4.3.0CP04 update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0027"], "modified": "2016-04-04T14:31:06", "id": "RHSA-2009:0349", "href": "https://access.redhat.com/errata/RHSA-2009:0349", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2023-05-18T15:33:16", "description": "Updated JBoss Enterprise Application Platform (JBoss EAP) 4.2 packages that fix various issues are now available for Red Hat Enterprise Linux 4 as JBEAP 4.2.0.CP06.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nJBoss Enterprise Application Platform (JBoss EAP) is the market-leading platform for innovative and scalable Java applications.\nJBoss EAP integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam into a complete, simple enterprise solution.\n\nThis release of JBoss EAP for Red Hat Enterprise Linux 4 serves as a replacement to JBEAP 4.2.0.CP05.\n\nThese updated packages include bug fixes and enhancements which are detailed in the release notes. The link to the release notes is available below in the References section.\n\nThe following security issue is also fixed with this release :\n\nThe request handler in JBossWS did not correctly verify the resource path when serving WSDL files for custom web service endpoints. This allowed remote attackers to read arbitrary XML files with the permissions of the EAP processs. (CVE-2009-0027)\n\nWarning: before applying this update, please backup the JBoss EAP 'server/[configuration]/deploy/' directory, and any other customized configuration files.\n\nAll users of JBoss EAP 4.2 on Red Hat Enterprise Linux 4 are advised to upgrade to these updated packages, which resolve these issues.", "cvss3": {}, "published": "2013-01-24T00:00:00", "type": "nessus", "title": "RHEL 4 : JBoss EAP (RHSA-2009:0346)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-0027"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:glassfish-jsf", "p-cpe:/a:redhat:enterprise_linux:hibernate3", "p-cpe:/a:redhat:enterprise_linux:hibernate3-javadoc", "p-cpe:/a:redhat:enterprise_linux:jacorb", "p-cpe:/a:redhat:enterprise_linux:jakarta-commons-beanutils", "p-cpe:/a:redhat:enterprise_linux:jakarta-commons-fileupload", "p-cpe:/a:redhat:enterprise_linux:jakarta-commons-io", "p-cpe:/a:redhat:enterprise_linux:jakarta-commons-logging-jboss", "p-cpe:/a:redhat:enterprise_linux:jboss-cache", "p-cpe:/a:redhat:enterprise_linux:jboss-jaxr", "p-cpe:/a:redhat:enterprise_linux:jboss-remoting", "p-cpe:/a:redhat:enterprise_linux:jboss-seam", "p-cpe:/a:redhat:enterprise_linux:jboss-seam-docs", "p-cpe:/a:redhat:enterprise_linux:jboss-vfs", "p-cpe:/a:redhat:enterprise_linux:jbossas", "p-cpe:/a:redhat:enterprise_linux:jbossas-4.2.0.ga_cp06-bin", "p-cpe:/a:redhat:enterprise_linux:jbossas-client", "p-cpe:/a:redhat:enterprise_linux:jbossts", "p-cpe:/a:redhat:enterprise_linux:jbossweb", "p-cpe:/a:redhat:enterprise_linux:jgroups", "p-cpe:/a:redhat:enterprise_linux:rh-eap-docs", "p-cpe:/a:redhat:enterprise_linux:rh-eap-docs-examples", "p-cpe:/a:redhat:enterprise_linux:tanukiwrapper", "p-cpe:/a:redhat:enterprise_linux:ws-commons-policy", "p-cpe:/a:redhat:enterprise_linux:ws-scout0", "p-cpe:/a:redhat:enterprise_linux:xalan-j2", "cpe:/o:redhat:enterprise_linux:4"], "id": "REDHAT-RHSA-2009-0346.NASL", "href": "https://www.tenable.com/plugins/nessus/63874", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2009:0346. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(63874);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0027\");\n script_xref(name:\"RHSA\", value:\"2009:0346\");\n\n script_name(english:\"RHEL 4 : JBoss EAP (RHSA-2009:0346)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated JBoss Enterprise Application Platform (JBoss EAP) 4.2 packages\nthat fix various issues are now available for Red Hat Enterprise Linux\n4 as JBEAP 4.2.0.CP06.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nJBoss Enterprise Application Platform (JBoss EAP) is the\nmarket-leading platform for innovative and scalable Java applications.\nJBoss EAP integrates the JBoss Application Server with JBoss Hibernate\nand JBoss Seam into a complete, simple enterprise solution.\n\nThis release of JBoss EAP for Red Hat Enterprise Linux 4 serves as a\nreplacement to JBEAP 4.2.0.CP05.\n\nThese updated packages include bug fixes and enhancements which are\ndetailed in the release notes. The link to the release notes is\navailable below in the References section.\n\nThe following security issue is also fixed with this release :\n\nThe request handler in JBossWS did not correctly verify the resource\npath when serving WSDL files for custom web service endpoints. This\nallowed remote attackers to read arbitrary XML files with the\npermissions of the EAP processs. (CVE-2009-0027)\n\nWarning: before applying this update, please backup the JBoss EAP\n'server/[configuration]/deploy/' directory, and any other customized\nconfiguration files.\n\nAll users of JBoss EAP 4.2 on Red Hat Enterprise Linux 4 are advised\nto upgrade to these updated packages, which resolve these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-0027\"\n );\n # http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?13c46bfa\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2009:0346\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glassfish-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate3-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jacorb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-beanutils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-fileupload\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-io\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-logging-jboss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-jaxr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-remoting\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-seam\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-seam-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-vfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-4.2.0.GA_CP06-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossweb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jgroups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rh-eap-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rh-eap-docs-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tanukiwrapper\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ws-commons-policy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ws-scout0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xalan-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/03/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 4.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2009:0346\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL4\", rpm:\"jbossas-client-\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL4\", reference:\"glassfish-jsf-1.2_10-0jpp.ep1.5.ep5.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"hibernate3-3.2.4-1.SP1_CP07.0jpp.ep1.14.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"hibernate3-javadoc-3.2.4-1.SP1_CP07.0jpp.ep1.14.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jacorb-2.3.0-1jpp.ep1.7.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jakarta-commons-beanutils-1.8.0-3.ep5.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jakarta-commons-fileupload-1.1.1-3jpp.ep1.2.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jakarta-commons-io-1.1-0.20051005.2jpp_1rh\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jakarta-commons-logging-jboss-1.1-4.ep1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jboss-cache-1.4.1-6.SP11.1.ep1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jboss-jaxr-1.2.0-SP2.0jpp.ep1.3.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jboss-remoting-2.2.2-3.SP11.0jpp.ep1.1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jboss-seam-1.2.1-1.ep1.18.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jboss-seam-docs-1.2.1-1.ep1.18.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jboss-vfs-1.0.0-1.ep1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jbossas-4.2.0-4.GA_CP06.3.ep1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jbossas-4.2.0.GA_CP06-bin-4.2.0-4.GA_CP06.3.ep1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jbossas-client-4.2.0-4.GA_CP06.3.ep1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jbossts-4.2.3-1.SP5_CP04.1jpp.ep1.1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jbossweb-2.0.0-6.CP09.0jpp.ep1.1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jgroups-2.4.5-2.ep1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"rh-eap-docs-4.2.0-5.GA_CP06.ep1.3.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"rh-eap-docs-examples-4.2.0-5.GA_CP06.ep1.3.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"tanukiwrapper-3.2.1-2jpp.ep1.2.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"x86_64\", reference:\"tanukiwrapper-3.2.1-2jpp.ep1.2.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"ws-commons-policy-1.0-2jpp.ep1.7.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"ws-scout0-0.7-0.rc2.4.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"xalan-j2-2.7.0-2jpp.ep1.5.el4\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glassfish-jsf / hibernate3 / hibernate3-javadoc / jacorb / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:40", "description": "Updated JBoss Enterprise Application Platform (JBoss EAP) 4.3 packages that fix various issues are now available for Red Hat Enterprise Linux 4 as JBEAP 4.3.0.CP04.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nJBoss Enterprise Application Platform (JBoss EAP) is the market-leading platform for innovative and scalable Java applications.\nJBoss EAP integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam into a complete, simple enterprise solution.\n\nThis release of JBoss EAP for Red Hat Enterprise Linux 4 serves as a replacement for JBEAP 4.3.0.CP03.\n\nThese updated packages include bug fixes and enhancements which are detailed in the release notes. The link to the release notes is available in the References section of this errata.\n\nThe following security issue is also fixed with this release :\n\nThe request handler in JBossWS did not correctly verify the resource path when serving WSDL files for custom web service endpoints. This allowed remote attackers to read arbitrary XML files with the permissions of the EAP process. (CVE-2009-0027)\n\nWarning: before applying this update, please back up the JBoss EAP 'server/[configuration]/deploy/' directory, and any other customized configuration files.\n\nAll users of JBoss EAP 4.3 on Red Hat Enterprise Linux 4 are advised to upgrade to these updated packages, which resolve these issues.", "cvss3": {}, "published": "2013-01-24T00:00:00", "type": "nessus", "title": "RHEL 4 : JBoss EAP (RHSA-2009:0347)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-0027"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb", "p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-javadoc", "p-cpe:/a:redhat:enterprise_linux:glassfish-jsf", "p-cpe:/a:redhat:enterprise_linux:hibernate3", "p-cpe:/a:redhat:enterprise_linux:hibernate3-javadoc", "p-cpe:/a:redhat:enterprise_linux:jacorb", "p-cpe:/a:redhat:enterprise_linux:jakarta-commons-beanutils", "p-cpe:/a:redhat:enterprise_linux:jakarta-commons-fileupload", "p-cpe:/a:redhat:enterprise_linux:jakarta-commons-io", "p-cpe:/a:redhat:enterprise_linux:jakarta-commons-logging-jboss", "p-cpe:/a:redhat:enterprise_linux:jboss-cache", "p-cpe:/a:redhat:enterprise_linux:jboss-jaxr", "p-cpe:/a:redhat:enterprise_linux:jboss-messaging", "p-cpe:/a:redhat:enterprise_linux:jboss-remoting", "p-cpe:/a:redhat:enterprise_linux:jboss-seam", "p-cpe:/a:redhat:enterprise_linux:jboss-seam-docs", "p-cpe:/a:redhat:enterprise_linux:jboss-vfs", "p-cpe:/a:redhat:enterprise_linux:jbossas", "p-cpe:/a:redhat:enterprise_linux:jbossas-4.3.0.ga_cp04-bin", "p-cpe:/a:redhat:enterprise_linux:jbossas-client", "p-cpe:/a:redhat:enterprise_linux:jbossts", "p-cpe:/a:redhat:enterprise_linux:jbossweb", "p-cpe:/a:redhat:enterprise_linux:jbossws", "p-cpe:/a:redhat:enterprise_linux:jbossws-common", "p-cpe:/a:redhat:enterprise_linux:jbossws-framework", "p-cpe:/a:redhat:enterprise_linux:jgroups", "p-cpe:/a:redhat:enterprise_linux:rh-eap-docs", "p-cpe:/a:redhat:enterprise_linux:rh-eap-docs-examples", "p-cpe:/a:redhat:enterprise_linux:tanukiwrapper", "p-cpe:/a:redhat:enterprise_linux:ws-commons-policy", "p-cpe:/a:redhat:enterprise_linux:ws-scout0", "p-cpe:/a:redhat:enterprise_linux:xalan-j2", "cpe:/o:redhat:enterprise_linux:4"], "id": "REDHAT-RHSA-2009-0347.NASL", "href": "https://www.tenable.com/plugins/nessus/63875", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2009:0347. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(63875);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0027\");\n script_xref(name:\"RHSA\", value:\"2009:0347\");\n\n script_name(english:\"RHEL 4 : JBoss EAP (RHSA-2009:0347)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated JBoss Enterprise Application Platform (JBoss EAP) 4.3 packages\nthat fix various issues are now available for Red Hat Enterprise Linux\n4 as JBEAP 4.3.0.CP04.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nJBoss Enterprise Application Platform (JBoss EAP) is the\nmarket-leading platform for innovative and scalable Java applications.\nJBoss EAP integrates the JBoss Application Server with JBoss Hibernate\nand JBoss Seam into a complete, simple enterprise solution.\n\nThis release of JBoss EAP for Red Hat Enterprise Linux 4 serves as a\nreplacement for JBEAP 4.3.0.CP03.\n\nThese updated packages include bug fixes and enhancements which are\ndetailed in the release notes. The link to the release notes is\navailable in the References section of this errata.\n\nThe following security issue is also fixed with this release :\n\nThe request handler in JBossWS did not correctly verify the resource\npath when serving WSDL files for custom web service endpoints. This\nallowed remote attackers to read arbitrary XML files with the\npermissions of the EAP process. (CVE-2009-0027)\n\nWarning: before applying this update, please back up the JBoss EAP\n'server/[configuration]/deploy/' directory, and any other customized\nconfiguration files.\n\nAll users of JBoss EAP 4.3 on Red Hat Enterprise Linux 4 are advised\nto upgrade to these updated packages, which resolve these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-0027\"\n );\n # http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?13c46bfa\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2009:0347\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glassfish-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate3-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jacorb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-beanutils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-fileupload\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-io\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-logging-jboss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-jaxr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-messaging\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-remoting\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-seam\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-seam-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-vfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-4.3.0.GA_CP04-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossweb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossws-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossws-framework\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jgroups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rh-eap-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rh-eap-docs-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tanukiwrapper\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ws-commons-policy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ws-scout0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xalan-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/03/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 4.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2009:0347\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL4\", rpm:\"jbossas-client-\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL4\", reference:\"glassfish-jaxb-2.1.4-1.6.ep1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"glassfish-jaxb-javadoc-2.1.4-1.6.ep1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"glassfish-jsf-1.2_10-0jpp.ep1.5.ep5.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"hibernate3-3.2.4-1.SP1_CP07.0jpp.ep1.14.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"hibernate3-javadoc-3.2.4-1.SP1_CP07.0jpp.ep1.14.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jacorb-2.3.0-1jpp.ep1.7.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jakarta-commons-beanutils-1.8.0-3.ep5.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jakarta-commons-fileupload-1.1.1-3jpp.ep1.2.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jakarta-commons-io-1.1-0.20051005.2jpp_1rh\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jakarta-commons-logging-jboss-1.1-4.ep1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jboss-cache-1.4.1-6.SP11.1.ep1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jboss-jaxr-1.2.0-SP2.0jpp.ep1.3.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jboss-messaging-1.4.0-2.SP3_CP07.1.ep1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jboss-remoting-2.2.2-3.SP11.0jpp.ep1.1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.14.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jboss-seam-docs-1.2.1-3.JBPAPP_4_3_0_GA.ep1.14.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jboss-vfs-1.0.0-1.ep1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jbossas-4.3.0-3.GA_CP04.3.ep1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jbossas-4.3.0.GA_CP04-bin-4.3.0-3.GA_CP04.3.ep1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jbossas-client-4.3.0-3.GA_CP04.3.ep1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jbossts-4.2.3-1.SP5_CP04.1jpp.ep1.1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jbossweb-2.0.0-6.CP09.0jpp.ep1.1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jbossws-2.0.1-3.SP2_CP05.4.ep1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jbossws-common-1.0.0-2.GA_CP03.1.ep1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jbossws-framework-2.0.1-1.GA_CP03.2.ep1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"jgroups-2.4.5-2.ep1.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"rh-eap-docs-4.3.0-4.GA_CP04.ep1.3.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"rh-eap-docs-examples-4.3.0-4.GA_CP04.ep1.3.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"tanukiwrapper-3.2.1-2jpp.ep1.2.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", cpu:\"x86_64\", reference:\"tanukiwrapper-3.2.1-2jpp.ep1.2.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"ws-commons-policy-1.0-2jpp.ep1.7.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"ws-scout0-0.7-0.rc2.4.el4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"xalan-j2-2.7.0-2jpp.ep1.5.el4\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glassfish-jaxb / glassfish-jaxb-javadoc / glassfish-jsf / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:41", "description": "Updated JBoss Enterprise Application Platform (JBoss EAP) 4.3 packages that fix various issues are now available for Red Hat Enterprise Linux 5 as JBEAP 4.3.0.CP04.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nJBoss Enterprise Application Platform (JBoss EAP) is the market-leading platform for innovative and scalable Java applications.\nJBoss EAP integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam into a complete, simple enterprise solution.\n\nThis release of JBoss EAP for Red Hat Enterprise Linux 5 serves as a replacement for JBEAP 4.3.0.CP03.\n\nThese updated packages include bug fixes and enhancements which are detailed in the release notes. The link to the release notes is available in the References section of this errata.\n\nThe following security issue is also fixed with this release :\n\nThe request handler in JBossWS did not correctly verify the resource path when serving WSDL files for custom web service endpoints. This allowed remote attackers to read arbitrary XML files with the permissions of the EAP process. (CVE-2009-0027)\n\nWarning: before applying this update, please back up the JBoss EAP 'server/[configuration]/deploy/' directory, as well as any other customized configuration files.\n\nAll users of JBoss EAP 4.3 on Red Hat Enterprise Linux 5 are advised to upgrade to these updated packages, which resolve these issues.", "cvss3": {}, "published": "2013-01-24T00:00:00", "type": "nessus", "title": "RHEL 5 : JBoss EAP (RHSA-2009:0349)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-0027"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb", "p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-javadoc", "p-cpe:/a:redhat:enterprise_linux:glassfish-jsf", "p-cpe:/a:redhat:enterprise_linux:hibernate3", "p-cpe:/a:redhat:enterprise_linux:hibernate3-javadoc", "p-cpe:/a:redhat:enterprise_linux:jacorb", "p-cpe:/a:redhat:enterprise_linux:jakarta-commons-logging-jboss", "p-cpe:/a:redhat:enterprise_linux:jboss-cache", "p-cpe:/a:redhat:enterprise_linux:jboss-jaxr", "p-cpe:/a:redhat:enterprise_linux:jboss-messaging", "p-cpe:/a:redhat:enterprise_linux:jboss-remoting", "p-cpe:/a:redhat:enterprise_linux:jboss-seam", "p-cpe:/a:redhat:enterprise_linux:jboss-seam-docs", "p-cpe:/a:redhat:enterprise_linux:jboss-vfs", "p-cpe:/a:redhat:enterprise_linux:jbossas", "p-cpe:/a:redhat:enterprise_linux:jbossas-4.3.0.ga_cp04-bin", "p-cpe:/a:redhat:enterprise_linux:jbossas-client", "p-cpe:/a:redhat:enterprise_linux:jbossts", "p-cpe:/a:redhat:enterprise_linux:jbossweb", "p-cpe:/a:redhat:enterprise_linux:jbossws", "p-cpe:/a:redhat:enterprise_linux:jbossws-common", "p-cpe:/a:redhat:enterprise_linux:jbossws-framework", "p-cpe:/a:redhat:enterprise_linux:jgroups", "p-cpe:/a:redhat:enterprise_linux:rh-eap-docs", "p-cpe:/a:redhat:enterprise_linux:rh-eap-docs-examples", "p-cpe:/a:redhat:enterprise_linux:tanukiwrapper", "p-cpe:/a:redhat:enterprise_linux:ws-commons-policy", "p-cpe:/a:redhat:enterprise_linux:ws-scout0", "cpe:/o:redhat:enterprise_linux:5"], "id": "REDHAT-RHSA-2009-0349.NASL", "href": "https://www.tenable.com/plugins/nessus/63877", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2009:0349. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(63877);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0027\");\n script_xref(name:\"RHSA\", value:\"2009:0349\");\n\n script_name(english:\"RHEL 5 : JBoss EAP (RHSA-2009:0349)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated JBoss Enterprise Application Platform (JBoss EAP) 4.3 packages\nthat fix various issues are now available for Red Hat Enterprise Linux\n5 as JBEAP 4.3.0.CP04.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nJBoss Enterprise Application Platform (JBoss EAP) is the\nmarket-leading platform for innovative and scalable Java applications.\nJBoss EAP integrates the JBoss Application Server with JBoss Hibernate\nand JBoss Seam into a complete, simple enterprise solution.\n\nThis release of JBoss EAP for Red Hat Enterprise Linux 5 serves as a\nreplacement for JBEAP 4.3.0.CP03.\n\nThese updated packages include bug fixes and enhancements which are\ndetailed in the release notes. The link to the release notes is\navailable in the References section of this errata.\n\nThe following security issue is also fixed with this release :\n\nThe request handler in JBossWS did not correctly verify the resource\npath when serving WSDL files for custom web service endpoints. This\nallowed remote attackers to read arbitrary XML files with the\npermissions of the EAP process. (CVE-2009-0027)\n\nWarning: before applying this update, please back up the JBoss EAP\n'server/[configuration]/deploy/' directory, as well as any other\ncustomized configuration files.\n\nAll users of JBoss EAP 4.3 on Red Hat Enterprise Linux 5 are advised\nto upgrade to these updated packages, which resolve these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-0027\"\n );\n # http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?13c46bfa\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2009:0349\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glassfish-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate3-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jacorb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-logging-jboss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-jaxr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-messaging\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-remoting\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-seam\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-seam-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-vfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-4.3.0.GA_CP04-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossweb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossws-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossws-framework\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jgroups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rh-eap-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rh-eap-docs-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tanukiwrapper\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ws-commons-policy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ws-scout0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/03/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2009:0349\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL5\", rpm:\"jbossas-client-\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL5\", reference:\"glassfish-jaxb-2.1.4-1.6.1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"glassfish-jaxb-javadoc-2.1.4-1.6.1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"glassfish-jsf-1.2_10-0jpp.ep1.5.ep5.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"hibernate3-3.2.4-1.SP1_CP07.0jpp.ep1.14.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"hibernate3-javadoc-3.2.4-1.SP1_CP07.0jpp.ep1.14.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jacorb-2.3.0-1jpp.ep1.7.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jakarta-commons-logging-jboss-1.1-4.1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-cache-1.4.1-6.SP11.1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-jaxr-1.2.0-SP2.0jpp.ep1.3.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-messaging-1.4.0-2.SP3_CP07.1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-remoting-2.2.2-3.SP11.0jpp.ep1.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-seam-1.2.1-3.JBPAPP_4_3_0_GA.ep1.10.el5.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-seam-docs-1.2.1-3.JBPAPP_4_3_0_GA.ep1.10.el5.1\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-vfs-1.0.0-1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossas-4.3.0-3.GA_CP04.2.1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossas-4.3.0.GA_CP04-bin-4.3.0-3.GA_CP04.2.1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossas-client-4.3.0-3.GA_CP04.2.1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossts-4.2.3-1.SP5_CP04.1jpp.ep1.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossweb-2.0.0-6.CP09.0jpp.ep1.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossws-2.0.1-3.SP2_CP05.3.1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossws-common-1.0.0-2.GA_CP03.1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossws-framework-2.0.1-1.GA_CP03.2.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jgroups-2.4.5-2.1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"rh-eap-docs-4.3.0-4.GA_CP04.ep1.3.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"rh-eap-docs-examples-4.3.0-4.GA_CP04.ep1.3.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"tanukiwrapper-3.2.1-2jpp.ep1.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"tanukiwrapper-3.2.1-2jpp.ep1.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"ws-commons-policy-1.0-2jpp.ep1.7.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"ws-scout0-0.7-0.rc2.4.el5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glassfish-jaxb / glassfish-jaxb-javadoc / glassfish-jsf / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:10", "description": "Updated JBoss Enterprise Application Platform (JBoss EAP) 4.2 packages that fix various issues are now available for Red Hat Enterprise Linux 5 as JBEAP 4.2.0.CP06.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nJBoss Enterprise Application Platform (JBoss EAP) is the market-leading platform for innovative and scalable Java applications.\nJBoss EAP integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam into a complete, simple enterprise solution.\n\nThis release of JBoss EAP for Red Hat Enterprise Linux 5 serves as a replacement for JBEAP 4.2.0.CP05.\n\nThese updated packages include bug fixes and enhancements which are detailed in the release notes. The link to the release notes is available below in the References section.\n\nThe following security issue is also fixed with this release :\n\nThe request handler in JBossWS did not correctly verify the resource path when serving WSDL files for custom web service endpoints. This allowed remote attackers to read arbitrary XML files with the permissions of the EAP process. (CVE-2009-0027)\n\nWarning: before applying this update, make sure to back up the JBEAP 'server/[configuration]/deploy/' directory, as well as any other customized configuration files.\n\nAll users of JBoss EAP 4.2 on Red Hat Enterprise Linux 5 are advised to upgrade to these updated packages, which resolve these issues.", "cvss3": {}, "published": "2013-01-24T00:00:00", "type": "nessus", "title": "RHEL 5 : JBoss EAP (RHSA-2009:0348)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-0027"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:glassfish-jsf", "p-cpe:/a:redhat:enterprise_linux:hibernate3", "p-cpe:/a:redhat:enterprise_linux:hibernate3-javadoc", "p-cpe:/a:redhat:enterprise_linux:jacorb", "p-cpe:/a:redhat:enterprise_linux:jakarta-commons-logging-jboss", "p-cpe:/a:redhat:enterprise_linux:jboss-cache", "p-cpe:/a:redhat:enterprise_linux:jboss-jaxr", "p-cpe:/a:redhat:enterprise_linux:jboss-remoting", "p-cpe:/a:redhat:enterprise_linux:jboss-seam", "p-cpe:/a:redhat:enterprise_linux:jboss-seam-docs", "p-cpe:/a:redhat:enterprise_linux:jboss-vfs", "p-cpe:/a:redhat:enterprise_linux:jbossas", "p-cpe:/a:redhat:enterprise_linux:jbossas-4.2.0.ga_cp06-bin", "p-cpe:/a:redhat:enterprise_linux:ws-commons-policy", "p-cpe:/a:redhat:enterprise_linux:jbossas-client", "p-cpe:/a:redhat:enterprise_linux:jbossts", "p-cpe:/a:redhat:enterprise_linux:ws-scout0", "p-cpe:/a:redhat:enterprise_linux:jbossweb", "p-cpe:/a:redhat:enterprise_linux:jbossws-jboss42", "cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:jgroups", "p-cpe:/a:redhat:enterprise_linux:rh-eap-docs", "p-cpe:/a:redhat:enterprise_linux:rh-eap-docs-examples", "p-cpe:/a:redhat:enterprise_linux:tanukiwrapper"], "id": "REDHAT-RHSA-2009-0348.NASL", "href": "https://www.tenable.com/plugins/nessus/63876", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2009:0348. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(63876);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0027\");\n script_xref(name:\"RHSA\", value:\"2009:0348\");\n\n script_name(english:\"RHEL 5 : JBoss EAP (RHSA-2009:0348)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated JBoss Enterprise Application Platform (JBoss EAP) 4.2 packages\nthat fix various issues are now available for Red Hat Enterprise Linux\n5 as JBEAP 4.2.0.CP06.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nJBoss Enterprise Application Platform (JBoss EAP) is the\nmarket-leading platform for innovative and scalable Java applications.\nJBoss EAP integrates the JBoss Application Server with JBoss Hibernate\nand JBoss Seam into a complete, simple enterprise solution.\n\nThis release of JBoss EAP for Red Hat Enterprise Linux 5 serves as a\nreplacement for JBEAP 4.2.0.CP05.\n\nThese updated packages include bug fixes and enhancements which are\ndetailed in the release notes. The link to the release notes is\navailable below in the References section.\n\nThe following security issue is also fixed with this release :\n\nThe request handler in JBossWS did not correctly verify the resource\npath when serving WSDL files for custom web service endpoints. This\nallowed remote attackers to read arbitrary XML files with the\npermissions of the EAP process. (CVE-2009-0027)\n\nWarning: before applying this update, make sure to back up the JBEAP\n'server/[configuration]/deploy/' directory, as well as any other\ncustomized configuration files.\n\nAll users of JBoss EAP 4.2 on Red Hat Enterprise Linux 5 are advised\nto upgrade to these updated packages, which resolve these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-0027\"\n );\n # http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?13c46bfa\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2009:0348\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glassfish-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate3-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jacorb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-logging-jboss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-cache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-jaxr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-remoting\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-seam\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-seam-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-vfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-4.2.0.GA_CP06-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossweb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossws-jboss42\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jgroups\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rh-eap-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rh-eap-docs-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tanukiwrapper\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ws-commons-policy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ws-scout0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/03/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2009:0348\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL5\", rpm:\"jbossas-client-\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL5\", reference:\"glassfish-jsf-1.2_10-0jpp.ep1.5.ep5.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"hibernate3-3.2.4-1.SP1_CP07.0jpp.ep1.14.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"hibernate3-javadoc-3.2.4-1.SP1_CP07.0jpp.ep1.14.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jacorb-2.3.0-1jpp.ep1.7.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jakarta-commons-logging-jboss-1.1-4.1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-cache-1.4.1-6.SP11.1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-jaxr-1.2.0-SP2.0jpp.ep1.3.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-remoting-2.2.2-3.SP11.0jpp.ep1.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-seam-1.2.1-1.ep1.12.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-seam-docs-1.2.1-1.ep1.12.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-vfs-1.0.0-1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossas-4.2.0-4.GA_CP06.3.1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossas-4.2.0.GA_CP06-bin-4.2.0-4.GA_CP06.3.1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossas-client-4.2.0-4.GA_CP06.3.1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossts-4.2.3-1.SP5_CP04.1jpp.ep1.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossweb-2.0.0-6.CP09.0jpp.ep1.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossws-jboss42-1.2.1-1.1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jgroups-2.4.5-2.1.ep1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"rh-eap-docs-4.2.0-5.GA_CP06.ep1.3.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"rh-eap-docs-examples-4.2.0-5.GA_CP06.ep1.3.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"tanukiwrapper-3.2.1-2jpp.ep1.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"tanukiwrapper-3.2.1-2jpp.ep1.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"ws-commons-policy-1.0-2jpp.ep1.7.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"ws-scout0-0.7-0.rc2.4.el5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glassfish-jsf / hibernate3 / hibernate3-javadoc / jacorb / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2023-05-31T14:25:57", "description": "The request handler in JBossWS in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP06 and 4.3 before 4.3.0.CP04 does not properly validate the resource path during a request for a WSDL file with a custom web-service endpoint, which allows remote attackers to read arbitrary XML files via a crafted request.", "cvss3": {}, "published": "2009-03-09T21:30:00", "type": "cve", "title": "CVE-2009-0027", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0027"], "modified": "2009-03-21T05:53:00", "cpe": ["cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0", "cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0"], "id": "CVE-2009-0027", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0027", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp03:*:*:*:*:*:*", "cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp04:*:*:*:*:*:*", "cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp02:*:*:*:*:*:*", "cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp06:*:*:*:*:*:*", "cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp03:*:*:*:*:*:*", "cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp04:*:*:*:*:*:*", "cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp01:*:*:*:*:*:*", "cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp05:*:*:*:*:*:*", "cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp02:*:*:*:*:*:*", "cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp01:*:*:*:*:*:*"]}], "ubuntucve": [{"lastseen": "2023-05-31T14:28:02", "description": "The request handler in JBossWS in JBoss Enterprise Application Platform\n(aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP06 and 4.3 before 4.3.0.CP04\ndoes not properly validate the resource path during a request for a WSDL\nfile with a custom web-service endpoint, which allows remote attackers to\nread arbitrary XML files via a crafted request.", "cvss3": {}, "published": "2009-03-09T00:00:00", "type": "ubuntucve", "title": "CVE-2009-0027", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0027"], "modified": "2009-03-09T00:00:00", "id": "UB:CVE-2009-0027", "href": "https://ubuntu.com/security/CVE-2009-0027", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
Information Disclosure
