SB2021113014 - Multiple vulnerabilities in Red Hat JBoss Web Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021113014

SB2021113014 - Multiple vulnerabilities in Red Hat JBoss Web Server

Published: November 30, 2021

Security Bulletin ID SB2021113014
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2021-33037)

The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests, related to processing of transfer encoding headers.  A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.


2) Improper Authentication (CVE-ID: CVE-2021-30640)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in the JNDI Realm when processing authentication requests. A remote attacker can authenticate using variations of a valid user name and bypass some of the protection provided by the LockOut Realm.


3) Resource exhaustion (CVE-ID: CVE-2021-42340)

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when processing HTTP connections. A remote attacker can initiate multiple HTTP connections with the web server and consume all available memory on the system.

Remediation

Install update from vendor's website.

References