#VU38291 Inconsistent interpretation of HTTP requests in JBoss Enterprise Application Platform


Published: 2017-09-13 | Updated: 2020-08-08

Vulnerability identifier: #VU38291

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-7561

CWE-ID: CWE-444

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
JBoss Enterprise Application Platform
Server applications / Application servers

Vendor: Red Hat Inc.

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is vulnerable to a server-side cache poisoning or CORS requests in the JAX-RS component resulting in a moderate impact.

Mitigation
Install update from vendor's website.

Vulnerable software versions

JBoss Enterprise Application Platform: 3.0.7 - 3.5.1

External links
http://www.securityfocus.com/bid/100465
http://access.redhat.com/errata/RHSA-2018:0002
http://access.redhat.com/errata/RHSA-2018:0003
http://access.redhat.com/errata/RHSA-2018:0004
http://access.redhat.com/errata/RHSA-2018:0005
http://access.redhat.com/errata/RHSA-2018:0478
http://access.redhat.com/errata/RHSA-2018:0479
http://access.redhat.com/errata/RHSA-2018:0480
http://access.redhat.com/errata/RHSA-2018:0481
http://issues.jboss.org/browse/RESTEASY-1704

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Red Hat JBoss Enterprise Application Platform 7.1.1 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 7.1.1 for Red Hat Enterprise Linux 7 update for eap7-jboss-ec2-eap
Inconsistent interpretation of HTTP requests in JBoss Enterprise Application Platform