Multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform 7.4



Published: 2022-08-09
Risk High
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2021-44906
CVE-2022-24823
CVE-2022-25647
CWE-ID CWE-400
CWE-378
CWE-502
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
JBoss Enterprise Application Platform
Server applications / Application servers

Vendor Red Hat Inc.

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Resource exhaustion

EUVDB-ID: #VU64030

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-44906

CWE-ID: CWE-400 - Uncontrolled Resource Consumption ('Resource Exhaustion')

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

JBoss Enterprise Application Platform: 7.4.0 - 7.4.5


CPE2.3 External links

http://access.redhat.com/errata/RHSA-2022:5928

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Creation of Temporary File With Insecure Permissions

EUVDB-ID: #VU62849

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-24823

CWE-ID: CWE-378 - Creation of Temporary File With Insecure Permissions

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to usage of insecure permissions for temporary files. A local user can view contents of temporary files and gain access to sensitive information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

JBoss Enterprise Application Platform: 7.4.0 - 7.4.5


CPE2.3 External links

http://access.redhat.com/errata/RHSA-2022:5928

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Deserialization of Untrusted Data

EUVDB-ID: #VU64152

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-25647

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to insecure input validation when processing serialized data passed to writeReplace() method. A remote attacker can pass specially crafted data to the application and perform a denial of service attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

JBoss Enterprise Application Platform: 7.4.0 - 7.4.5


CPE2.3 External links

http://access.redhat.com/errata/RHSA-2022:5928

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###