Red Hat update for Red Hat JBoss Enterprise Application Platform 6.4.18



Published: 2017-11-14
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-2582
CWE-ID CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		JBoss Enterprise Application Platform
Server applications / Application servers

Vendor Red Hat Inc.

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU14267

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-2582

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists in the StaxParserUtil class of the Picketlink feature due to improper parsing of Security Assertion Markup Language (SAML) messages. A remote attacker can send a specially crafted SAML request that submits malicious input and access sensitive information, such as values of system properties.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

JBoss Enterprise Application Platform: 6.4.0

External links

http://access.redhat.com/errata/RHSA-2017:3216


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###