Red Hat Training

A Red Hat training course is available for Red Hat JBoss Core Services

Chapter 3. Verified and Resolved CVEs

3.1. Verified CVEs

The following CVEs have been verified in this release:

CVE-2012-1148
A memory-leak flaw was found in Expat. If an XML file processed by an application linked against Expat triggered a memory re-allocation failure, Expat failed to free the previously allocated memory. This could cause the application to exit unexpectedly or crash when all available memory was exhausted.
CVE-2014-3523
A memory leak was found in the winnt_accept function in server/mpm/winnt/child.c in the WinNT MPM in the httpd on Windows. When the default AcceptFilter was enabled, this allowed remote attackers to cause a denial of service (memory consumption) using crafted requests.
CVE-2014-8176
An invalid-free flaw was found in the way OpenSSL handled certain DTLS handshake messages. A malicious DTLS client or server could send a specially crafted message to the peer, which could then cause the application to crash or potentially result in arbitrary code execution.
CVE-2016-1834
A heap-based buffer overflow vulnerability in the xmlStrncat function in libxml2 allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption) using a crafted XML document.
CVE-2016-1840
A heap-based buffer overflow vulnerability was found in the xmlFAParsePosCharGroup function in libxml2. The flaw allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption) using a crafted XML document.
CVE-2016-2108
A flaw was found in the way OpenSSL encoded certain ASN.1 data structures. An attacker could use this flaw to create a specially crafted certificate which, when verified or re-encoded by OpenSSL, could cause it to crash, or execute arbitrary code using the permissions of the user running an application compiled against the OpenSSL library.
CVE-2016-4459
A buffer-overflow vulnerability was discovered in mod_cluster. When using a JVMRoute path longer than 80 characters in the configuration, a segmentation fault occurred leading to a server crash.
CVE-2016-6808
A buffer-overflow vulnerability was discovered in mod_jk, where the virtual host name and the URI are concatenated to create a virtual host mapping rule. It was found that the length checks prior to writing to the target buffer for this rule did not take into account the length of the virtual host name, creating the potential for a buffer overflow.
CVE-2016-8612
A protocol-parsing flaw was found in mod_cluster’s load balancer, which allowed an attacker to cause a segmentation fault.
CVE-2016-2178
It was discovered that OpenSSL did not always use constant time operations when computing Digital Signature Algorithm (DSA) signatures. A local attacker could possibly use this flaw to obtain a private DSA key belonging to another user or service running on the same system.
CVE-2016-2177
Multiple integer-overflow flaws were found in the way OpenSSL performed pointer arithmetic. A remote attacker could possibly use these flaws to cause a TLS/SSL server or client using OpenSSL to crash.

3.2. Resolved CVEs

The following CVEs have been included in this release, but have yet to be functionally tested:

CVE-2015-0286
An invalid pointer use flaw was found in OpenSSL’s ASN1_TYPE_cmp() function. With a specially crafted X.509 certificate that had been verified by the application, a remote attacker could crash a TLS/SSL client or server using OpenSSL.
CVE-2015-3196
A race-condition flaw, leading to a double-free vulnerability, was found in the way OpenSSL handled pre-shared key (PSK) identify hints. A remote attacker could use this flaw to crash a multi-threaded SSL/TLS client using OpenSSL.
CVE-2016-5419
It was found that the libcurl library did not prevent TLS session resumption after the client certificate had changed. An attacker could potentially use this flaw to hijack connection authentication by leveraging a previously created connection with a different client certificate.
CVE-2016-5420
It was found that the libcurl library did not check the client certificate when choosing the TLS connection to reuse. An attacker could potentially use this flaw to hijack connection authentication by leveraging a previously created connection with a different client certificate.
CVE-2016-0799
Several flaws were found in the way BIO_*printf functions were implemented in OpenSSL. Applications which passed large amounts of untrusted data through these functions could crash or potentially execute code with the permissions of the user running such an application.
CVE-2016-2842
Several flaws were found in the way BIO_*printf functions were implemented in OpenSSL. Applications which passed large amounts of untrusted data through these functions could crash or potentially execute code with the permissions of the user running such an application.
CVE-2016-7141
It was found that, in certain cases, the libcurl library using the NSS (Network Security Services) library as its TLS/SSL backend incorrectly reused client certificates for subsequent TLS connections. An attacker could potentially use this flaw to hijack connection authentication by leveraging a previously created connection with a different client certificate.
CVE-2016-1838
The xmlParserPrintFileContextInternal function in libxml2 allowed remote attackers to cause a denial of service (heap-based buffer over-read) using a crafted XML document.
CVE-2016-1762
The xmlNextChar function in libxml2 before 2.9.4 allowed remote attackers to cause a denial of service (heap-based buffer over-read) using a crafted XML document.
CVE-2016-1837
Multiple use-after-free vulnerabilities were found in the htmlParsePubidLiteral and htmlParseSystemiteral functions in libxml2 that allowed remote attackers to cause a denial of service using a crafted XML document.
CVE-2016-1833
The htmlCurrentChar function in libxml2 allowed remote attackers to cause a denial of service (heap-based buffer over-read) using a crafted XML document.
CVE-2016-4447
The xmlParseElementDecl function in parser.c in libxml2 before 2.9.4 allowed context-dependent attackers to cause a denial of service (heap-based buffer under-read and application crash) using a crafted file, involving xmlParseName.
CVE-2016-1835
A use-after-free vulnerability was found in the xmlSAX2AttributeNs function in libxml2 that allowed remote attackers to cause a denial of service using a crafted XML document.
CVE-2016-4449
An XML external entity (XXE) vulnerability was found in the xmlStringLenDecodeEntities function in parser.c in libxml2 , when not in validating mode, which could allow context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) using unspecified vectors.
CVE-2016-1839
The xmlDictAddString function in libxml2 allowed remote attackers to cause a denial of service (heap-based buffer over-read) using a crafted XML document.
CVE-2016-1836
A use-after-free vulnerability was found in the xmlDictComputeFastKey function in libxml2 that allowed remote attackers to cause a denial of service using a crafted XML document.
CVE-2016-4448
A format-string vulnerability in libxml2 allowed attackers to have an unspecified impact using format string specifiers in unknown vectors.
CVE-2016-2107
It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when the connection used the AES CBC cipher suite and the server supported AES-NI. A remote attacker could possibly use this flaw to retrieve plain text from encrypted packets by using a TLS/SSL or DTLS server as a padding oracle.
CVE-2016-2106
An integer-overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncryptUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application.
CVE-2016-2105
An integer-overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application.
CVE-2016-2109
A denial of service flaw was found in the way OpenSSL parsed certain ASN.1-encoded data from BIO (OpenSSL’s I/O abstraction) inputs. An application using OpenSSL that accepted untrusted ASN.1 BIO input could be forced to allocate an excessive amount of data.
CVE-2016-0797
An integer-overflow flaw, leading to a NULL-pointer dereference or heap-based memory corruption, was found in the implementation of some BIGNUM functions of OpenSSL. Applications that use these functions with large untrusted input could crash or, potentially, execute arbitrary code.
CVE-2016-0702
A side-channel attack was found that made use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture. An attacker who had the ability to control code in a thread running on the same hyper-threaded core as the victim’s thread that is performing decryption, could use this flaw to recover RSA private keys.
CVE-2016-0705
A double-free flaw was found in the way OpenSSL parsed certain malformed DSA (Digital Signature Algorithm) private keys. An attacker could create specially crafted DSA private keys that, when processed by an application compiled against OpenSSL, could cause the application to crash.
CVE-2015-3185
It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication had been used. An httpd module using this API function could consequently allow access that should have been denied.
CVE-2015-3195
A memory-leak vulnerability was found in the way OpenSSL parsed PKCS#7 and CMS data. A remote attacker could use this flaw to cause an application that parses PKCS#7 or CMS data from untrusted sources to use an excessive amount of memory and possibly crash.
CVE-2015-0209
A use-after-free flaw was found in the way OpenSSL imported malformed Elliptic Curve private keys. A specially crafted key file could cause an application using OpenSSL to crash when imported.
CVE-2015-3216
A regression flaw was found in the ssleay_rand_bytes() function in OpenSSL which could cause a multi-threaded application to crash.
CVE-2015-3194
A NULL-pointer dereference flaw was found in the way OpenSSL verified signatures using the RSA PSS algorithm. A remote attacker could possibly use this flaw to crash a TLS/SSL client using OpenSSL, or a TLS/SSL server using OpenSSL if it enabled client authentication.