SB2017082209 - Multiple vulnerabilities in JBoss Enterprise Application Platform

Description

This security bulletin contains information about 2 vulnerabilities.

1) XML External Entity injection (CVE-ID: CVE-2017-7464)

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

It was found that the JAXP implementation used in JBoss EAP 7.0 for SAX and DOM parsing is vulnerable to certain XXE flaws. An attacker could use this flaw to cause DoS, SSRF, or information disclosure if they are able to provide XML content for parsing.

2) Information disclosure (CVE-ID: CVE-2016-6311)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Get requests in JBoss Enterprise Application Platform (EAP) 7 disclose internal IP addresses to remote attackers.

Remediation

Install update from vendor's website.

References

• http://www.securityfocus.com/bid/98450
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7464
• https://access.redhat.com/errata/RHSA-2017:3454
• https://access.redhat.com/errata/RHSA-2017:3455
• https://access.redhat.com/errata/RHSA-2017:3456
• https://access.redhat.com/errata/RHSA-2017:3458
• https://bugzilla.redhat.com/show_bug.cgi?id=1362735