SB2018020602 - Denial of service in Red Hat JBoss
Published: February 6, 2018
Security Bulletin ID
SB2018020602
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Infinite loop (CVE-ID: CVE-2018-1041)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear
The vulnerability allows an adjacent attacker to cause DoS condition on the target system.
The weakness exists due to an error when handling malicious input. An adjacent attacker can send specially crafted data to trigger an empty buffer read error in RemoteMessageChannel, consume excessive CPU resources and cause the application to enter an infinite loop and then the service to crash.
2) Heap memory exhaustion (CVE-ID: CVE-2017-12174)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to heap memory exhaustion. A remote attacker can trigger memory corruption and cause the service to crash.
Remediation
Install update from vendor's website.