Chapter 6. Fixed CVEs

JBoss EAP 7.2 includes fixes for the following security-related issues:

  • CVE-2017-7503: xml frameworks: JBoss EAP 7.0.5 implementation of javax.xml.transform.TransformerFactory is vulnerable to XXE
  • CVE-2018-10237: guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service
  • CVE-2018-1067: undertow: HTTP header injection using CRLF with UTF-8 encoding
  • CVE-2018-10862: wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files
  • CVE-2017-12174: artemis/hornetq: Memory exhaustion via UDP and JGroups discovery
  • CVE-2017-12629: Solr: Code execution via entity expansion
  • CVE-2017-15089: infinispan: Unsafe deserialization of malicious object injected into data cache
  • CVE-2017-12196: undertow: Client can use bogus uri in Digest authentication
  • CVE-2018-8088: slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
  • CVE-2018-1047: undertow: Path traversal in ServletResourceManager class
  • CVE-2018-8039: apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.*