Any impacts of some tomcat CVEs on JBoss products?
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 5.x
- 6.x
Issue
- Does these tomcat CVEs impacts on JBoss products. Especially they are using EAP 5.1.2.
- CVE-2015-5174 https://access.redhat.com/security/cve/CVE-2015-5174
- CVE-2015-5345 https://access.redhat.com/security/cve/CVE-2015-5345
- CVE-2015-5346 https://access.redhat.com/security/cve/CVE-2015-5346
- CVE-2015-5351 https://access.redhat.com/security/cve/CVE-2015-5351
- CVE-2016-0706 https://access.redhat.com/security/cve/CVE-2016-0706
- CVE-2016-0714 https://access.redhat.com/security/cve/CVE-2016-0714
- CVE-2016-0763 https://access.redhat.com/security/cve/CVE-2016-0763
Resolution
They all are Moderate/Low issues, we don't plan to fix these issues in EAP 5.
Out of Moderate issues (CVE-2015-5351, CVE-2016-0714, CVE-2016-0763) only CVE-2016-0714 is relevant for EAP. However, the impact for EAP is lower, since EAP probably has a lot of deserialization locations, and will likely run the Tomcat code with less privileges. Other Low impact issues are not planned to be fixed in EAP. As for CVE-2016-0714, we don't know right now if it will be fixed or not. It will need some more analysis.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.