Multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform 7.4

Published: 2023-08-08

Risk	Medium
Patch available	YES
Number of vulnerabilities	3
CVE-ID	CVE-2021-46877 CVE-2023-1436 CVE-2023-3223
CWE-ID	CWE-502 CWE-674 CWE-400
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	JBoss Enterprise Application Platform Server applications / Application servers
Vendor	Red Hat Inc.

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Deserialization of Untrusted Data

EUVDB-ID: #VU59148

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-46877

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insecure input validation when processing serialized JsonNode values. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Note, the vulnerability affects JDK serialization only.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

JBoss Enterprise Application Platform: 7.4.0 - 7.4.11

Fixed software versions

CPE2.3

cpe:2.3:a:red_hat:jboss_enterprise_application_platform:7.4.11:*:*:*:*:*:*:*

External links

http://access.redhat.com/errata/RHSA-2023:4509

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Uncontrolled Recursion

EUVDB-ID: #VU75431

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2023-1436

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

JBoss Enterprise Application Platform: 7.4.0 - 7.4.11

Fixed software versions

CPE2.3

cpe:2.3:a:red_hat:jboss_enterprise_application_platform:7.4.11:*:*:*:*:*:*:*

External links

http://access.redhat.com/errata/RHSA-2023:4509

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Resource exhaustion

EUVDB-ID: #VU79114

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2023-3223

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources by servlets annotated with @MultipartConfig. A remote attacker can send a large multipart content to the server, consume all available memory resources and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

JBoss Enterprise Application Platform: 7.4.0 - 7.4.11

Fixed software versions

CPE2.3

cpe:2.3:a:red_hat:jboss_enterprise_application_platform:7.4.11:*:*:*:*:*:*:*

External links

http://access.redhat.com/errata/RHSA-2023:4509

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?