Show Table of Contents
Chapter 7. Fixed CVEs
JBoss EAP 7.1 includes fixes for the following security related issues:
- CVE-2016-6311: Internal IP address disclosed on redirect when request header Host field is not set
- CVE-2016-2141: Add authorization checks by default on JGroups message receipt
- CVE-2016-5406: RBAC configurations are discarded by transformers for legacy slaves running management API versions 1.8 and earlier
- CVE-2016-4993: HTTP header injection / response splitting
- CVE-2015-0254: XXE and RCE via XSL extension in JSTL XML tags
- CVE-2016-7046: Long URL proxy request lead to java.nio.BufferOverflowException and DoS
- CVE-2016-8627: Potential EAP resource starvation DOS attack via GET requests for server log files
- CVE-2016-7061: Sensitive data can be exposed at the server level in domain mode
- CVE-2016-8656: unsafe chown of server.log in jboss init script allows privilege escalation
- CVE-2016-9589: ParseState headerValuesCache can be exploited to fill heap with garbage
- CVE-2017-2595: Arbitrary file read via path traversal
- CVE-2016-9606: Resteasy: Yaml unmarshalling vulnerable to RCE
- CVE-2017-2666: HTTP Request smuggling vulnerability due to permitting invalid characters in HTTP requests
- CVE-2017-2670: Websocket non clean close can cause IO thread to get stuck in a loop
- CVE-2016-4978: JMSObjectMessage deserializes potentially malicious objects allowing Remote Code Execution
- CVE-2017-7525: jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper
- CVE-2017-2582: SAML request parser replaces special strings with system properties
- CVE-2014-9970: jasypt: Vulnerable to timing attack against the password hash comparison
- CVE-2015-6644: bouncycastle: Information disclosure in GCMBlockCipher
- CVE-2017-5645: log4j: Socket receiver deserialization vulnerability
- CVE-2017-7536: hibernate-validator: Privilege escalation when running under the security manager
- CVE-2017-12165: Improper whitespace parsing leading to potential HTTP request smuggling
- CVE-2017-7559: Potential http request smuggling as Undertow parses the http headers with unusual whitespaces
- CVE-2016-7066: World executable permission on bin/jboss-cli after installation. Any users of the system could cause harm, or shutdown the running instance of JBoss EAP
- CVE-2017-12167: Wrong privileges on multiple property files
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.